ABSTRACT 


Title  of  dissertation:  INTRUSION  DETECTION  FOR  DEFENSE 

AT  THE  MAC  AND  ROUTING 
LAYERS  OF  WIRELESS  NETWORKS 

Svetlana  Radosavac 
Doctor  of  Philosophy,  2007 

Dissertation  directed  by:  Professor  John  S.  Baras 

Department  of  Electrical  and  Computer  Engineering 

The  pervasiveness  of  wireless  devices  and  the  architectural  organization  of  wireless 
networks  in  distributed  communities,  where  no  notion  of  trust  can  be  assumed,  are  the 
main  reasons  for  the  growing  interest  in  the  issue  of  compliance  to  protocol  rules.  Never¬ 
theless,  the  random  nature  of  protocol  operation  together  with  the  inherent  difficulty  of 
monitoring  in  the  open  and  highly  volatile  wireless  medium  poses  significant  challenges. 
In  this  thesis,  the  problem  of  detection  of  node  misbehavior  at  the  MAC  layer  and  impact 
of  such  behavior  on  two  different  routing  protocols  in  the  Network  Layer  is  considered. 
Starting  from  a  model  where  the  behavior  of  a  node  is  observable,  we  cast  the  problem 
within  a  min-max  robust  detection  framework,  with  the  objective  to  provide  a  detection 
rule  of  optimum  performance  for  the  worst-case  attack  in  the  MAC  layer.  With  this 
framework  we  capture  the  uncertainty  of  attacks  launched  by  intelligent  adaptive  attack¬ 
ers  and  concentrate  on  the  class  of  attacks  that  are  most  significant  in  terms  of  incurred 
performance  losses.  Furthermore,  we  show  that  our  ideas  can  be  extended  to  the  case 
where  observations  are  hindered  by  interference  due  to  concurrent  transmissions  and  de¬ 
rive  performance  bounds  of  both  the  attacker  and  detection  system  in  such  scenarios.  We 


extend  the  proposed  framework  to  model  collaborative  attacks  and  quantify  the  impact 


Report  Documentation  Page 


Form  Approved 
0MB  No.  0704-0188 


Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 
VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  0MB  control  number. 


1.  REPORT  DATE 


2.  REPORT  TYPE 


3.  DATES  COVERED 

00-00-2007  to  00-00-2007 


5a.  CONTRACT  NUMBER 


5b.  GRANT  NUMBER 


5c.  PROGRAM  ELEMENT  NUMBER 


5d.  PROJECT  NUMBER 


5e.  TASK  NUMBER 


5f.  WORK  UNIT  NUMBER 


4.  TITLE  AND  SUBTITLE 

Intrusion  Detection  for  Defense  at  the  MAC  and  Routing  Layers  of 
Wireless  Networks 

6.  AUTHOR(S) 


7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES)  8.  PERFORMING  ORGANIZATION 

University  of  Maryland, Department  of  Electrical  and  Computer  report  number 

Engineering, College  Park, MD, 20742 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES)  10.  SPONSOR/MONITOR’S  ACRONYM(S) 

II.  SPONSOR/MONITOR’S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

14.  ABSTRACT 

The  pervasiveness  of  wireless  devices  and  the  architectural  organization  of  wireless  networks  in  distributed 
communities,  where  no  notion  of  trust  can  be  assumed,  are  the  main  reasons  for  the  growing  interest  in  the 
issue  of  compliance  to  protocol  rules.  Never-  theless,  the  random  nature  of  protocol  operation  together  with 
the  inherent  di?culty  of  monitoring  in  the  open  and  highly  volatile  wireless  medium  poses  signi?cant 
challenges.  In  this  thesis,  the  problem  of  detection  of  node  misbehavior  at  the  MAC  layer  and  impact  of 
such  behavior  on  two  di?erent  routing  protocols  in  the  Network  Layer  is  considered.  Starting  from  a  model 
where  the  behavior  of  a  node  is  observable,  we  cast  the  problem  within  a  min-max  robust  detection 
framework,  with  the  objective  to  provide  a  detection  rule  of  optimum  performance  for  the  worst-case 
attack  in  the  MAC  layer.  With  this  framework  we  capture  the  uncertainty  of  attacks  launched  by 
intelligent  adaptive  attack-  ers  and  concentrate  on  the  class  of  attacks  that  are  most  signi?cant  in  terms  of 
incurred  performance  losses.  Eurthermore,  we  show  that  our  ideas  can  be  extended  to  the  case  where 
observations  are  hindered  by  interference  due  to  concurrent  transmissions  and  de-  rive  performance 
bounds  of  both  the  attacker  and  detection  system  in  such  scenarios.  We  extend  the  proposed  framework  to 
model  collaborative  attacks  and  quantify  the  impact  of  such  attacks  on  optimal  detection  systems  by 
mathematical  analysis  and  simulation.  Einally,  by  using  the  principle  of  cross-entropy  minimization,  we 
present  a  general  proce-  dure  for  constructing  an  optimal  attack  scenario  in  the  MAC  layer  under  a 
general  set  of  constraints  that  can  be  adapted  based  on  speci?c  requirements  of  an  Intrusion  Detection 
System  (IDS). 


15.  SUBJECT  TERMS 


16.  SECURITY  CLASSIFICATION  OF: 

17.  LIMITATION  OF 

18.  NUMBER 

I9a.  NAME  OE 

ABSTRACT 

OF  PAGES 

RESPONSIBLE  PERSON 

a.  REPORT 

unclassified 

b.  ABSTRACT 

unclassified 

c.  THIS  PAGE 

unclassified 

Same  as 
Report  (SAR) 

113 

standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


of  such  attacks  on  optimal  detection  systems  by  mathematical  analysis  and  simulation. 


Finally,  by  using  the  principle  of  cross-entropy  minimization,  we  present  a  general  proce¬ 
dure  for  constructing  an  optimal  attack  scenario  in  the  MAC  layer  under  a  general  set  of 
constraints  that  can  be  adapted  based  on  specific  requirements  of  an  Intrusion  Detection 
System  (IDS). 


INTRUSION  DETECTION  FOR  DEFENSE  AT  THE  MAC 
AND  ROUTING  LAYERS  OF  WIRELESS  NETWORKS 


by 


Svetlana  Radosavac 


Dissertation  submitted  to  the  Faculty  of  the  Graduate  School  of  the 
University  of  Maryland,  College  Park  in  partial  fulfillment 
of  the  requirements  for  the  degree  of 
Doctor  of  Philosophy 
2007 


Advisory  Committee: 

Professor  John  S.  Baras,  Chair/Advisor 
Professor  Gang  Qu 
Professor  Manoj  Franklin 
Professor  Virgil  D.  Gligor 
Professor  V.  S.  Subrahmanian 


(c)  Copyright  by 
Svetlana  Radosavac 
2007 


Dedication 


To  my  parents,  for  their  unconditional  love  and  support  throughout  my  whole  life. 


ii 


Acknowledgements 


I  would  like  to  thank  my  advisor,  Professor  John  S.  Baras  for  his  continuous  guidance 
and  support  throughout  my  PhD  studies.  I  would  also  like  to  thank  Dr  Gang  Qu,  Dr 
Manoj  Franklin,  Dr  Virgil  Gligor  and  Dr  V.  S.  Subrahmanian  for  agreeing  to  serve  on 
my  committee.  In  particular,  I  am  thankful  to  Professor  Virgil  Gligor  for  constructive 
comments  on  my  M.S.  thesis  that  lead  me  to  think  about  several  problems  in  more  practical 
manner  and  formulate  the  problems  in  my  PhD  thesis  in  a  more  clear  way.  I  am  very 
grateful  to  Professor  V.  S.  Subrahmanian  for  agreeing  to  serve  on  my  committee  as  the 
Dean’s  representative  without  any  prior  notice. 

Many  thanks  to  Professor  George  V.  Moustakides  who  greatly  helped  me  in  under¬ 
standing  of  sequential  detection  principles.  His  patience  and  generous  feedback  on  many 
problems  we  worked  on  helped  me  greatly  in  writing  my  thesis  and  shed  light  on  many 
unsolved  problems  I  was  working  on. 

I  am  in  particular  indebted  to  my  colleagues  and  friends,  with  whom  I  spent  many 
years  in  Gollege  Park.  I  would  like  to  thank  Nassir  BenAmmar  for  his  generous  help 
with  implementation  of  the  IEEE  802.11  MAG  misbehavior  models  in  OPNET  and  many 
useful  discussions  on  several  open  problems.  Angela  Huang  helped  me  greatly  in  deeper 
understanding  of  routing  protocols  and  their  implementation.  Special  thanks  goes  to 
Alvaro  Gardenas  for  many  years  of  friendship  and  cooperation.  I  learned  a  lot  from  our 
lengthy  discussions  on  many  problems  in  the  area  of  Intrusion  Detection. 

I  would  also  like  to  thank  Aleksandar  Simic  and  Katarina  Stojadinovic  for  many 
years  of  friendship.  Both  of  them,  each  in  their  own  way,  helped  me  greatly  during  my 
studies. 

Einally,  I  would  like  to  thank  with  all  my  heart  to  my  family  for  their  infinite  love 

hi 


and  support  throughout  my  life.  Their  love  gave  me  strength  to  go  on  during  the  most 
difficult  moments  of  my  life  and  the  least  I  can  do  is  to  dedicate  this  thesis  to  them. 

I  am  grateful  for  the  support  of  my  research  work  and  graduate  studies  through  the 
following  contracts  and  grants:  the  U.S.  Army  Research  Office  under  CIP  URI  grant  No. 
DAAD19-01-1-0494  and  by  the  Communications  and  Networks  Consortium  sponsored  by 
the  U.S.  Army  Research  Laboratory  under  the  Collaborative  Technology  Alliance  Pro¬ 
gram,  Cooperative  Agreement  DAAD19-01-2-0011. 


IV 


Table  of  Contents 


List  of  Figures  vii 

List  of  Abbreviations  ix 

1  Introduction  1 

1.1  Our  contributions .  3 

1.2  Thesis  Organization .  5 

2  Literature  overview  7 

2.1  MAC  layer  misbehavior  detection .  7 

2.2  Cross-layer  misbehavior  detection .  10 

3  IEEE  802.11  MAC  DCE  12 

3.1  Overview  of  the  protocol .  12 

3.2  IEEE  802.11  MAC  Misbehavior .  13 

3.3  Impact  of  interference  on  misbehavior  detection  schemes .  16 

3.3.1  Interference  due  to  concurrent  transmissions .  17 

3.3.2  Interference  due  to  simultaneous  channel  access .  18 

4  Min-max  robust  misbehavior  detection  20 

4.1  Introduction . 20 

4.2  Problem  motivation  and  sequential  detection  . 21 

4.3  Min-max  robust  detection:  definition  of  uncertainty  class  . 26 

4.3.1  Problem  description  and  assumptions  . 27 

4.3.2  Adversary  model . 28 

4.4  Min-max  robust  detection:  derivation  of  the  worst-case  attack . 32 

4.5  Experimental  evaluation  of  optimal  attack  strategies . 37 

4.5.1  Impact  of  multiple  competing  nodes  on  the  performance  of  the  op¬ 
timal  attacker . 43 

4.5.2  Performance  comparison  of  MAC  layer  misbehavior  detection  schemes  43 

5  Collaborative  attacks  49 

5.1  Definition  of  the  Uncertainty  Class . 50 

5.2  Derivation  of  the  worst-case  attack  for  n=2  adversaries . 52 

5.3  Derivation  of  the  worst-case  attack  for  n  >  2  adversaries . 55 

5.4  Experimental  Results . 57 

6  Impact  of  interference  on  the  performance  of  optimal  detection  schemes  62 

6.1  Overview  . 62 

6.2  Problem  setup  . 64 

6.2.1  Derivation  of  the  worst-case  attack  in  the  presence  of  interference  .  .  66 

6.3  ESM  for  SINK  variation .  70 

6.3.1  System  model .  70 

6.3.2  Performance  analysis .  71 


V 


7  Cross-entropy  minimization  and  its  applications  in  intrusion  detection  74 

7.1  Analysis  of  single  and  multi-stage  attacks .  74 

7.2  Derivation  of  the  worst-case  attack  using  the  principle  of  minimum  cross¬ 
entropy  .  78 

7.3  Optimal  Attack  Scenario  in  the  MAC  Layer  Using  the  Cross-entropy  Method  81 

8  Cross-layer  impact  of  optimal  attacks  83 

8.1  Impact  of  MAC  Layer  Misbehavior  on  the  Network  Layer:  Time  to  Buffer 

Overflow . 85 

8.2  Numerical  Results  . 91 

8.2.1  Cross-layer  effects  of  the  optimal  MAC  layer  attacks . 91 

8.2.2  Implementation  of  an  optimal  MAC  layer-based  IDS . 95 

Bibliography  99 


List  of  Figures 


3.1  Nodes  A  and  C  contend  for  accessing  node  B.  In  the  first  attempt  A  reserves 

the  channel  followed  by  successful  access  by  node  C . 13 

3.2  Observer  nodes  and  effect  of  interference  due  to  concurrent  transmissions.  .  15 

4.1  Form  of  least  favorable  pdf  fi{x):  a)  number  of  legitimate  nodes  n  =  2,  1 

malicious  node  and  gain  factor  rj  =  1, 1.5,  2,  2.5;  b)  gain  factor  rj  =  1.5  and 
number  of  legitimate  nodes  n  =  l,2,5,oo;  c)  absolute  gain  ^  and 

number  of  legitimate  nodes  n  =  l,2,5,10,20 . 38 

4.2  Average  Detection  Delay  K\N]  as  a  function  of  (a)  gain  factor  m  (b)  absolute 

gain  ^  for  a  =  /3  =  0.01 . 40 

4.3  Tradeoff  curve  for  =  0.5,  0.6,  0.8  and  n  =  2 . 42 

4.4  Tradeoff  curve  for  =  0.5  and  n  =  2,3 . 42 

4.5  Tradeoff  curve  for  =  0.6  and  n  =  2,3,4, 5 . 43 

4.6  Tradeoff  curve  for  =  0.5  and  n  =  2,3,4 . 44 

4.7  Tradeoff  curves  for  DOMINO  algorithm.  One  curve  shows  its  performance 

when  detecting  an  adversary  that  chooses  f[*  and  the  other  is  the  perfor¬ 
mance  when  detecting  an  adversary  that  chooses  . 45 

4.8  Tradeoff  curves  for  SPRT  algorithm.  One  curve  shows  its  performance  when 

detecting  an  adversary  that  chooses  fP  and  the  other  is  the  performance 
when  detecting  an  adversary  that  chooses  fl . 46 

4.9  Tradeoff  curves  for  SPRT  and  DOMINO  algorithms . 47 

5.1  The  optimal  pdf  of  colluding  adversaries . 54 

5.2  Tradeoff  curves  for  2  colluding  nodes  and  rj  =  0.3,  0.6  and  0.9 . 59 

5.3  Tradeoff  curves  for  r]  =  0.6:  detection  times  for  colluding  nodes  are  up  to  2 

times  longer  than  for  a  single  node  with  identical  strategy . 59 

5.4  Tradeoff  curves  for  r]  =  0.9:  detection  times  for  colluding  nodes  are  up  to  3 

times  longer  than  for  a  single  node  with  identical  strategy . 60 

5.5  Tradeoff  curves  for  ij  =  0.9  (single  attacker)  and  rj  =  0.4  (colluding  attackers).  61 

6.1  Average  detection  delay  for  different  values  of  SINR  and  n=l,  3,  10 . 62 

6.2  PER[%]  as  a  function  of  SINR  for  RTS  and  CTS  messages  . 64 

vii 


6.3  Noise  diagram . 66 

6.4  Markov  Chain  representation  of  the  system.  Each  state  corresponds  to  a 

different  SINK  level .  70 

6.5  Performance  comparison  of  the  detection  scheme  with  and  without  inter¬ 
ference  for  =  0.8 . 72 

8.1  Node2  is  silenced  by  the  transmission  of  the  selfish  node.  Consequently, 

Node!  drops  large  number  of  packets . 85 

8.2  An  ongoing  attack  in  the  MAC  layer  breaks  the  original  route,  re-routing 

the  traffic  through  NodeS . 85 

8.3  Arrival  and  departure  times  in  the  queue  of  length  6 . 86 

8.4  Average  Time  to  buffer  overflow  for  p  =  (3 /a  =  3/2  (stability)  and  p  = 

P/a  =  2/3  (instability),  as  a  function  of  the  buffer  size  v . 89 

8.5  Average  time  to  buffer  overflow  as  a  function  of  the  traffic  rate  ratio  p  =  P/a 

and  buffer  size  =  100 . 89 

8.6  The  amount  of  lost  traffic  as  a  function  of  detection  delay  for  fixed  buffer 

size  v=100 . 91 

8.7  Increase  in  dropped  traffic  at  Nodel . 93 

8.8  Percentage  increase  in  traffic  through  alternate  route  as  a  consequence  of 

an  ongoing  MAC  layer  attack . 94 

8.9  Proposed  cross-layer  collaboration  . 96 


viii 


List  of  Abbreviations 


AODV  Ad  hoc  On-Demand  Distance  Vector 

BER  Bit  Error  Rate 

CSMA/CA  Carrier  Sense  Multiple  Access  with  Collision  Avoidance 


CTS 

Clear  To  Send 

CUSUM 

Cumulative  Sum 

cw 

Contention  Window 

DCE 

Distributed  Coordination  Punction 

DIES 

Distributed  Inter-Erame  Space 

DoS 

Denial  of  Service 

DSR 

Dynamic  Source  Routing 

IDS 

Intrusion  Detection  System 

LAR 

Location- Aided  Routing 

MAC 

Media  Access  Control 

MACA 

Multiple  Access  Collision  Avoidance 

NAV 

Network  Allocation  Vector 

PER 

Packet  Error  Rate 

RTS 

Request  To  Send 

SIES 

Short  Inter-frame  Space 

SINR 

Signal  to  Interference  and  Noise  Ratio 

SPRT 

Sequential  Probability  Ratio  Test 

IX 


Chapter  1 
Introduction 

Deviation  from  legitimate  protocol  operation  in  wireless  networks  has  received  con¬ 
siderable  attention  from  the  research  community  in  recent  years.  The  pervasive  nature 
of  wireless  networks  with  devices  that  are  gradually  becoming  essential  components  in 
our  everyday  life  justifies  the  rising  interest  on  that  issue.  In  addition,  the  architectural 
organization  of  wireless  networks  in  distributed  secluded  user  communities  raises  issues  of 
compliance  with  protocol  rules.  More  often  than  not,  users  are  clustered  in  communities 
that  are  defined  on  the  basis  of  proximity,  common  service  or  some  other  common  inter¬ 
est.  Since  such  communities  are  bound  to  operate  without  a  central  supervising  entity,  no 
notion  of  trust  can  be  presupposed. 

Furthermore,  the  increased  level  of  sophistication  in  the  design  of  protocol  com¬ 
ponents,  together  with  the  requirement  for  flexible  and  readily  reconfigurable  protocols 
has  led  to  the  extreme  where  wireless  network  adapters  and  devices  have  become  easily 
programmable.  As  a  result,  it  is  feasible  for  a  network  peer  to  tamper  with  software  and 
firmware,  modify  its  wireless  interface  and  network  parameters  and  ultimately  abuse  the 
protocol.  This  situation  is  referred  to  as  protocol  misbehavior.  The  goals  of  a  misbehav¬ 
ing  peer  range  from  exploitation  of  available  network  resources  for  its  own  benefit  up  to 
network  disruption.  The  solution  to  the  problem  is  the  timely  and  reliable  detection  of 
such  misbehavior  instances,  which  would  eventually  lead  to  network  defense  and  response 
mechanisms  and  isolation  of  the  misbehaving  peer.  However,  two  difficulties  arise:  the 
random  nature  of  some  protocols  (such  as  the  IEEE  802.11  medium  access  control  one) 
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and  the  nature  of  the  wireless  medium  with  its  inherent  volatility.  Therefore,  it  is  not 


easy  to  distinguish  between  a  peer  misbehavior  and  an  occasional  protocol  malfunction 
due  to  a  wireless  link  impairment.  An  additional  difficulty  specific  for  the  wireless  en¬ 
vironment  arises  when  observations  of  protocol  participants  are  hindered  by  interference 
due  to  concurrent  transmissions.  As  a  consequence,  a  detector  may  miss  one  or  more 
control  messages  sent  by  the  attacker,  which  delays  the  detection  process  due  to  the  fact 
that  a  detector  registers  erroneous  observation  sequence.  In  the  less  severe  case,  when  the 
perceived  and  actual  interference  levels  are  similar,  the  detector  is  aware  of  existence  of 
discrepancies  between  the  measured  and  actual  behavior  of  monitored  peers  and  either 
adjusts  its  detection  strategy  or  notifies  the  rest  of  the  network  that  it  is  unable  to  reach 
a  reliable  decision.  In  the  more  severe  case  when  the  perceived  interference  level  is  sig¬ 
nificantly  lower  than  the  actual  one,  an  increase  in  false  negatives  is  observed,  i.e.  the 
number  of  missed  detections  increases. 

Further  challenges  arise  in  the  presence  of  multiple  collaborating  adversaries.  We 
assume  that  colluding  participants  collaborate  by  exchanging  information  and  by  taking 
actions  that  amplify  each  other’s  effects  on  network  functionality.  Furthermore,  such  col¬ 
laborative  attacks  employ  “intelligence”,  that  is,  observe  actions  of  detectors  and  defenders 
and  adjust  the  timing  or  the  stages  or  the  actions  of  the  adversaries.  Understanding  the 
performance  of  the  collaborating  adversaries  versus  the  collaborating  detectors  and  de¬ 
fenders  is  a  key  issue  that  involves  several  fundamental  challenges  that  include  modeling 
of  optimal  adversarial  strategies,  optimal  detection,  timely  localization  etc. 

It  is  reasonable  to  assume  that  an  intelligent  adversary  does  not  focus  his  activities 
at  the  origin  of  the  attack  only,  but  attempts  to  disrupt  the  network  functionality  on  a 
larger  scale  by  employing  strategies  that  result  in  both  horizontal  and  vertical  propagation 
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of  misbehavior.  As  a  consequence,  a  detection  system  that  resides  in  a  single  network  layer 


may  not  be  sufficient  for  detection  of  more  sophisticated  attacks  strategies. 

It  is  important  to  mention  that  due  to  the  unpredictability  of  wireless  protocols 
and  the  medium  itself,  it  is  impossible  to  completely  predict  adversarial  behavior.  More 
specifically,  as  it  will  be  demonstrated  in  this  thesis,  such  approach  is  undesirable  and 
leads  to  construction  of  an  IDS  that  is  capable  of  detecting  only  a  narrow  class  of  attacks. 
For  that  specific  class  of  attacks  the  given  IDS  exhibits  superior  detection  rate,  but  when 
the  adversarial  strategy  slightly  deviates  from  the  original  one,  the  detection  rate  quickly 
falls  below  an  acceptable  threshold.  In  this  thesis  we  aim  to  provide  general  performance 
bounds  for  the  worst-case  attack  scenarios  in  wireless  networks  for  the  case  of  a  single 
intelligent  adversary  in  the  environment  with  and  without  interference  and  colluding  ad¬ 
versaries.  We  adopt  the  game-theoretic  approach  for  modeling  such  behaviors  and  extend 
our  analysis  by  introducing  the  notion  of  minimum  cross-entropy.  The  provided  scenarios 
represent  the  worst-case  performance  bounds  of  the  detection  system. 

1.1  Our  contributions 

In  the  first  part  of  the  thesis,  we  address  the  problem  of  MAC  protocol  misbehavior 
detection  at  a  fundamental  level  and  cast  it  as  a  min-max  robust  detection  problem.  We 
perform  our  analysis  by  assuming  the  presence  of  an  intelligent  adaptive  adversary.  Our 
work  contributes  to  the  current  literature  by:  (i)  formulating  the  misbehavior  problem  as 
a  min-max  robust  sequential  detection  problem  that  encompasses  the  case  of  an  intelli¬ 
gent  attacker,  (ii)  quantifying  performance  losses  incurred  by  an  attack  and  defining  an 
uncertainty  class  such  that  the  focus  is  only  on  attacks  that  incur  “large  enough”  perfor¬ 
mance  losses,  therefore  avoiding  the  trap  of  wasting  system  resources  on  detection  and 
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notification  of  minor  short-term  disruptions  in  the  network  that  may  or  may  not  be  of  ad¬ 
versarial  nature,  (iii)  obtaining  an  analytical  expression  for  the  worst-case  attack  and  the 
number  of  observations  required  for  detection,  (iv)  establishing  an  upper  bound  on  num¬ 
ber  of  required  samples  for  detection  of  any  of  the  attacks  of  interest,  therefore  providing 
the  worst-case  performance  evaluation  of  the  given  detection  system,  (v)  extending  the 
basic  model  to  scenarios  with  interference  due  to  concurrent  transmissions  and  obtaining 
performance  bounds  of  both  the  adversary  and  the  detection  systems  in  such  settings. 
We  implement  the  derived  optimal  class  of  attacks  in  the  network  simulator  OPNET  [1] 
and  compare  the  performance  of  such  attacks  against  optimal  and  sub-optimal  detection 
schemes.  Furthermore,  we  extend  the  proposed  framework  by  formulating  the  problem 
of  optimal  detection  against  misbehavior  of  intelligent  colluding  attackers  in  the  IEEE 
802.11  MAC  and  obtain  an  upper  bound  on  number  of  required  samples  for  detection  of 
such  attacks.  In  addition  to  that,  we  perform  detailed  evaluation  of  collaborative  attacks 
and  quantify  their  performance  by  comparing  their  effects  on  the  system  with  the  effects 
of  a  single  attacker  of  identical  strength  and  emphasize  the  importance  of  localization  in 
timely  detection  of  such  attacks. 

The  different  layers  in  the  network  stack  communicate  with  each  other,  enabling 
the  propagation  of  misbehavior  instances  between  layers.  Thus,  misbehavior  that  takes 
place  at  the  MAC  layer  can  significantly  affect  the  routing  process  as  well.  The  current 
literature  only  considers  brute  force  attacks,  such  as  Denial  of  Service  (DoS)  attacks  in 
the  MAC  layer  and  their  impact  on  the  Network  Layer.  In  this  thesis  we  investigate  the 
effects  of  the  worst-case  attacks  that  originate  in  the  MAC  layer  on  two  routing  protocols. 
We  show  by  analysis  and  simulation  that  vertical  propagation  of  misbehavior  gives  rise 
to  new  threats,  such  as  false  accusation  of  legitimate  nodes  by  the  IDS  located  in  the 
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network  layer.  Additionally,  the  distributed  nature  of  the  wireless  ad  hoc  networks  as  well 


as  the  randomness  of  the  employed  protocols,  makes  the  task  of  detection  and  localization 
of  malicious  participants  extremely  challenging. 

Finally,  we  apply  the  principle  of  minimum  cross-entropy  and  derive  a  general  frame¬ 
work  for  construction  of  optimal  attacks  in  the  IEEE  802.11  MAC. 

1.2  Thesis  Organization 

The  thesis  is  organized  as  follows.  Chapter  2  discusses  existing  work  in  the  areas  of 
the  IEEE  802.11  MAC  misbehavior  detection  and  cross-layer  propagation  and  detection 
of  such  attacks.  Chapters  presents  a  brief  overview  of  the  IEEE  802.11  MAC  DCE  and 
analyzes  its  potential  vulnerabilities  (i)  in  regular  settings  and  (ii)  in  the  presence  of 
interference.  In  Chapter  4  we  formally  define  our  problem  of  misbehavior  detection  and 
place  it  into  a  min-max  robust  framework.  We  define  performance  bounds  of  an  intelligent 
adaptive  attacker  and  the  quickest  IDS  using  game-theoretic  approach  and  perform  both 
analytical  and  experimental  evaluation  in  various  settings.  In  Chapters,  we  extend  the 
proposed  framework  to  the  case  of  colluding  adversaries  and  obtain  the  expression  for  the 
worst-case  attack  for  the  case  of  n  >  2  collaborating  adversaries.  We  analyze  the  impact 
of  collaborating  adversaries  on  the  performance  of  the  system  and  compare  the  effects  to 
the  one  obtained  by  a  single  attacker  of  the  same  strength  in  terms  of  detection  delay. 
In  Chapter  6  we  continue  the  analysis  from  Chapter  4  by  providing  a  detailed  analysis  of 
impact  of  interference  on  the  performance  of  quickest  detection  schemes.  In  Chapter?  we 
apply  the  method  of  cross-entropy  minimization  to  the  problem  of  worst-case  attacks  in 
the  IEEE  802.11  MAC.  Einally,  in  Chapter  8  we  analyze  the  impact  of  the  worst-case  MAC 
layer  attacks  on  the  performance  of  two  Network  Layer  protocols  and  propose  an  efficient 
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cross-layer  detection  scheme  that  provides  timely  prevention  of  vertical  propagation  of 
such  attacks. 
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Chapter  2 
Literature  overview 

Protocol  misbehavior  has  been  studied  in  various  scenarios  in  different  communica¬ 
tion  layers  and  under  several  mathematical  frameworks.  To  our  knowledge,  there  exists 
no  unique  adversarial  model  that  can  be  used  for  evaluation  of  existing  IDSs.  The  lack  of 
such  models  that  capture  a  wide  class  of  misbehavior  strategies  (with  brute  force  strategy 
being  the  extreme  instance  of  misbehavior)  represents  a  major  problem  for  evaluation  and 
performance  comparison  of  existing  detection  schemes.  In  addition  to  that,  the  absence  of 
such  models  makes  a  fair  performance  comparison  of  existing  schemes  almost  impossible 
due  to  the  fact  that  each  detection  scheme  is  constructed  for  detection  of  a  specific  class 
of  adversarial  strategies.  As  an  illustration  of  this  point  we  observe  two  detection  systems 
IDSi  with  detection  strategy  Di  and  IDS2  with  detection  strategy  I?2  which  were  con¬ 
structed  for  detection  of  adversarial  strategies  Ai  and  A2  respectively.  We  claim  that  due 
to  the  fact  that  each  detection  system  was  constructed  for  detection  of  a  specific  class  of 
attacks,  IDSi  will  exhibit  superior  performance  in  detecting  adversarial  strategy  Ai.  On 
the  other  hand,  it  will  exhibit  sub-optimal  performance  for  detection  of  an  attack  that 
belongs  to  a  class  A2-  The  same  will  hold  for  ID 82-  This  claim  will  be  illustrated  by 
detailed  experimental  analysis  in  Chapter  4. 

2.1  MAC  layer  misbehavior  detection 

The  authors  in  [2]  focus  on  MAC  layer  misbehavior  in  wireless  hot-spot  communities. 
They  propose  a  sequence  of  conditions  on  available  observations  for  testing  the  extent  to 
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which  MAC  protocol  parameters  have  been  manipulated.  The  advantage  of  the  scheme 


is  its  simplicity  and  easiness  of  implementation,  although  in  some  cases  the  method  can 
be  deceived  by  cheating  peers,  as  the  authors  point  out.  A  different  line  of  thought  is 
followed  by  the  authors  in  [3],  where  a  modification  to  the  IEEE  802.11  MAC  protocol 
is  proposed  to  facilitate  the  detection  of  selfish  and  misbehaving  nodes.  The  approach 
presupposes  a  trustworthy  receiver,  since  the  latter  assigns  to  the  sender  the  back-off 
value  to  be  used.  The  receiver  can  readily  detect  potential  misbehavior  of  the  sender  and 
accordingly  penalize  it  by  providing  less  favorable  access  conditions  through  higher  back¬ 
off  values  for  subsequent  transmissions.  A  decision  about  protocol  deviation  is  reached 
if  the  observed  number  of  idle  slots  of  the  sender  is  smaller  than  a  pre-specified  fraction 
of  the  allocated  back-off.  The  sender  is  labeled  as  misbehaving  if  it  turns  out  to  deviate 
continuously  based  on  a  cumulative  metric  over  a  sliding  window.  This  work  also  presents 
techniques  for  handling  potential  false  positives  due  to  the  hidden  terminal  problem  and 
the  different  channel  quality  perceived  by  the  sender  and  the  receiver.  The  work  in  [4] 
attempts  to  prevent  scenarios  of  colluding  sender-receiver  pairs  by  ensuring  randomness 
in  the  course  of  MAC  protocol. 

A  game-theoretic  framework  for  the  same  problem  at  the  MAC  layer  is  provided 
in  [5].  Using  a  dynamic  game  model,  the  authors  derive  the  strategy  that  each  node 
should  follow  in  terms  of  controlling  channel  access  probability  by  adjustment  of  contention 
window,  so  that  the  network  reaches  its  equilibrium.  They  also  provide  conditions  under 
which  the  Nash  equilibrium  of  the  network  with  several  misbehaving  nodes  is  Pareto 
optimal  for  each  node  as  well.  The  underlying  assumption  is  that  all  nodes  are  within 
wireless  range  of  each  other  so  as  to  avoid  the  hidden  terminal  problem. 

Node  misbehavior  can  be  viewed  as  a  special  case  of  denial-of-service  (DoS)  attack  or 


equivalently  a  DoS  attack  can  be  considered  as  an  extreme  instance  of  misbehavior.  DoS 


attacks  at  the  MAC  layer  are  a  significant  threat  to  availability  of  network  services.  This 
threat  is  intensified  in  the  presence  of  the  open  wireless  medium.  In  [6] ,  the  authors  study 
simple  DoS  attacks  at  the  MAC  layer,  show  their  dependence  on  attacker  traffic  patterns 
and  deduce  that  the  use  of  MAC  layer  fairness  can  mitigate  the  effect  of  such  attacks. 
In  [7]  the  authors  focus  on  DoS  attacks  against  the  IEEE  802.11  MAC  protocol.  They 
describe  vulnerabilities  of  the  protocol  and  show  ways  of  exploiting  them  by  tampering 
with  normal  operation  of  device  firmware. 

As  it  can  be  seen  from  the  above  analysis,  mostly  brute  force  and  DoS  attacks  are 
considered  in  current  literature.  Such  approaches  exclude  existence  of  intelligent  adaptive 
adversary  that  has  the  ability  to  change  his  behavior  depending  on  the  type  of  the  deployed 
IDS  and  the  current  environment  (i.e.  number  of  competing  nodes,  interference  levels, 
etc.).  In  this  work  we  adopt  the  notion  of  an  intelligent  adaptive  adversary  and  evaluate  his 
impact  on  optimal  IDS.  By  adopting  a  general  adversarial  model  we  (i)  derive  performance 
bounds  of  the  adversary,  (ii)  derive  performance  bounds  of  the  IDS  (i.e.  evaluate  the  best 
and  worst-case  scenarios  with  respect  to  the  detection  delay)  and  (iii)  enable  comparison 
of  several  existing  adversarial  strategies  and  detection  systems  by  placing  them  in  our 
framework. 

Misbehavior  detection  has  been  studied  at  the  network  layer  for  routing  protocols 
as  well.  The  work  in  [8]  presents  the  watchdog  mechanism,  which  detects  nodes  that  do 
not  forward  packets  destined  for  other  nodes.  The  pathrater  mechanism  evaluates  the 
paths  in  terms  of  trustworthiness  and  helps  in  avoiding  paths  with  untrusted  nodes.  The 
technique  presented  in  [9]  aims  at  detecting  malicious  nodes  by  means  of  neighborhood 
behavior  monitoring  and  reporting  from  other  nodes.  A  trust  manager,  a  reputation 
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manager  and  a  path  manager  aid  in  information  circulation  throughput  the  network, 


evaluation  of  appropriateness  of  paths  and  establishment  of  routes  that  avoid  misbehaving 
nodes.  Detection,  isolation  and  penalization  of  misbehaving  nodes  are  also  attained  by 
the  technique  above. 

2.2  Cross-layer  misbehavior  detection 

Various  IDS  techniques,  mostly  based  on  misuse  and  anomaly  detection  principles, 
have  been  proposed  for  attack  detection  and  prevention.  Most  of  the  existing  intrusion 
detection  approaches  focus  on  attack  detection  and  response  at  a  particular  layer  of  the 
protocol  stack,  mostly  the  network  layer.  The  effects  of  the  various  attacks  launched  in 
one  layer  on  the  performance  of  another  layer  have  not  been  widely  investigated.  The 
authors  in  [10]  present  a  cautionary  perspective  on  cross-layer  design.  They  emphasize 
the  importance  of  the  approach  and  discuss  the  architectural  problems  that  cross-layer 
design,  if  done  without  care,  can  create.  In  [11],  the  authors  define  the  notion  of  cross-layer 
design  and  state  three  main  reasons  for  using  it  in  the  wireless  environment:  (i)  the  unique 
problems  created  by  the  wireless  links;  (ii)  the  possibility  of  opportunistic  communication 
on  wireless  links  and  (iii)  the  new  modalities  of  communication  offered  by  the  wireless 
medium.  In  addition  to  that,  they  classify  cross- layer  design  proposals  and  present  pro¬ 
posals  for  implementing  cross-layer  interactions.  The  field  of  intrusion  detection  has  not 
appropriately  addressed  the  importance  of  cross-layer  design  and  its  benefits  in  attack  de¬ 
tection  and  prevention.  In  [12]  the  authors  use  a  cross-layer  based  IDS  system  to  analyze 
the  anomalies  in  the  network.  They  introduce  the  concept  of  integrating  multiple  layers 
of  the  protocol  stack  for  more  efficient  intrusion  detection.  In  [13]  the  authors  study  the 
interaction  of  the  routing  and  MAC  layer  protocols  under  different  mobility  parameters. 
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They  simulate  interaction  between  three  MAC  protocols  (MAC A,  802.11  and  CSMA)  and 
three  routing  protocols  (AODV,  DSR  and  LAR  scheme)  and  perform  statistical  analysis 
in  order  to  characterize  the  interaction  between  layers  in  terms  of  latency,  throughput, 
number  of  packets  received  and  long  term  fairness.  In  [14]  the  authors  quantify  the  impact 
of  link-layer  misbehavior  on  the  performance  of  two  routing  protocols,  DSR  and  AODV. 
They  investigate  two  brute  force  attacks  in  the  link  layer:  constant  RTS/CTS  packet 
dropping  and  back-off  manipulation  and  prove  by  simulation  that  each  of  the  above  at¬ 
tacks  propagates  to  the  network  layer,  affecting  the  overall  network  performance.  In  [15], 
the  authors  aim  to  develop  a  cross-layer  detection  framework  that  detects  and  localizes 
malicious  participants  in  various  layers  of  the  network.  They  consider  only  brute  force 
attacks,  such  as  DoS  attack  in  the  MAC  layer  and  packet  dropping  in  the  network  layer. 
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Chapter  3 

IEEE  802.11  MAC  DCF 
3.1  Overview  of  the  protocol 

The  most  frequently  used  MAC  protocol  for  wireless  networks  is  the  IEEE  802.11 
MAC  protocol,  which  uses  a  distributed  contention  resolution  mechanism  for  sharing  the 
wireless  channel.  Its  design  attempts  to  ensure  a  relatively  fair  access  to  the  medium  for 
all  participants  of  the  protocol.  In  order  to  avoid  collisions,  the  nodes  follow  a  binary 
exponential  back-off  scheme  that  favors  the  last  winner  amongst  the  contending  nodes. 

In  Distributed  Coordinating  Eunction  (DCE)  of  the  IEEE  802.11  MAC  protocol, 
coordination  of  channel  access  for  contending  nodes  is  achieved  with  Carrier  Sense  Multiple 
Access  with  Collision  Avoidance  (CSMA/CA)  [16].  A  node  with  a  packet  to  transmit 
selects  a  random  back-off  value  b  uniformly  from  the  set  {0,1,...,IT  —  1},  where  W  is 
the  (fixed)  size  of  the  contention  window.  The  back-off  counter  decreases  by  one  at  each 
time  slot  that  is  sensed  to  be  idle  and  the  node  transmits  after  b  idle  slots.  In  case  the 
channel  is  perceived  to  be  busy  in  one  slot,  the  back-off  counter  stops  momentarily.  After 
the  back-off  counter  is  decreased  to  zero,  the  transmitter  can  reserve  the  channel  for  the 
duration  of  data  transfer.  Eirst,  it  sends  a  request-to-send  (RTS)  packet  to  the  receiver, 
which  responds  with  a  clear-to-send  (CTS)  packet.  Thus,  the  channel  is  reserved  for 
the  transmission.  Both  RTS  and  CTS  messages  contain  the  intended  duration  of  data 
transmission  in  the  duration  field.  Other  hosts  overhearing  either  the  RTS  or  the  CTS 
are  required  to  adjust  their  Network  Allocation  Vector  (NAV)  that  indicates  the  duration 
for  which  they  will  defer  transmission.  This  duration  includes  the  SIES  intervals,  data 
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packets  and  acknowledgment  frame  following  the  transmitted  data  frame.  An  unsuccessful 
transmission  instance  due  to  collision  or  interference  is  denoted  by  lack  of  CTS  or  ACK 
for  the  data  sent  and  causes  the  value  of  contention  window  to  double.  If  the  transmission 
is  successful,  the  host  resets  its  contention  window  to  the  minimum  value  W. 

Fig.  3.1  illustrates  the  scenario  of  contending  nodes  using  the  protocol. 
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Figure  3.1:  Nodes  A  and  C  contend  for  accessing  node  B.  In  the  first  attempt  A  reserves 
the  channel  followed  by  successful  access  by  node  C. 

Typical  parameter  values  for  the  MAC  protocol  depend  on  the  physical  layer  that 
IEEE  802.11  uses.  Table  3.1  shows  the  parameters  used  when  the  physical  layer  is  using 
direct  sequence  spread  spectrum  (DSSS). 


3.2  IEEE  802.11  MAC  Misbehavior 

As  it  has  been  seen  in  Sect.  3.1,  the  IEEE  802.11  DCF  favors  the  node  that  selects 
the  smallest  back-off  value  among  a  set  of  contending  nodes.  Therefore,  a  malicious  or 
selfish  node  may  choose  not  to  comply  to  protocol  rules  by  occasionally  or  constantly 
selecting  small  back-off  values,  thereby  gaining  significant  advantage  in  channel  sharing 
over  regularly  behaving,  honest  nodes.  Moreover,  due  to  the  exponential  increase  of  the 
contention  window  after  each  unsuccessful  transmission,  non-malicious  nodes  are  forced  to 
select  their  future  back-offs  from  larger  intervals  after  every  access  failure.  Consequently, 
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DIFS 

bOfis 

SIFS 

lOfis 

SlotTime 

20/is 

ACK 

112bits-|-PHY_header=203/is 

RTS 

160bits-|-PHY_header=207/is 

CTS 

112bits-|-PHY_header=203/is 

DATA 

MACJieader  (30b)+DATA(0-2312b)+FCS(4b) 

Timeouts 

300-350/is 

CHmin 

32  time  slots 

CW^max 

1024  time  slots 

Table  3.1:  Parameters  for  DSSS 

their  chances  of  accessing  the  channel  decrease  even  further.  Apart  from  intentional  selec¬ 
tion  of  small  back-off  values,  a  node  can  deviate  from  the  MAC  protocol  in  other  ways  as 
well.  He  can  (i)  choose  a  smaller  size  of  contention  window;  (ii)  wait  for  shorter  interval 
than  DIFS  or  (iii)  reserve  the  channel  for  larger  interval  than  the  maximum  allowed  NAV 
duration.  In  this  work,  we  adhere  to  protocol  deviations  that  occur  due  to  manipulation 
of  the  back-off  values. 

The  nodes  that  are  instructed  by  the  protocol  to  defer  transmission  are  able  to 
overhear  transmissions  from  nodes  whose  transmission  range  they  reside  in.  Therefore, 
silenced  nodes  can  observe  the  behavior  of  transmitting  nodes.  The  question  that  arises  is 
whether  there  exists  a  way  to  take  advantage  of  this  observation  capability  and  use  it  to 
identify  potential  misbehavior  instances.  If  observations  indicate  a  misbehavior  event,  the 
observer  nodes  should  notify  the  rest  of  the  network  about  this  situation  or  could  launch 
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Figure  3.2:  Observer  nodes  and  effect  of  interference  due  to  concurrent  transmissions. 

a  response  action  in  order  to  isolate  the  misbehaving  nodes.  Detecting  misbehavior  is 
not  straightforward  even  in  the  simplest  case,  namely  that  of  unobstructed  observations. 
The  difficulty  stems  primarily  from  the  non-deterministic  nature  of  the  access  protocol 
that  does  not  lead  to  a  straightforward  way  of  distinguishing  between  a  legitimate  sender, 
that  happens  to  select  small  back-offs,  and  a  misbehaving  node  that  maliciously  selects 
small  back-offs.  The  open  wireless  medium  and  the  different  perceived  channel  conditions 
at  different  locations  add  to  the  difficulty  of  the  problem.  Additional  challenges  arise  in 
the  presence  of  interference  due  to  ongoing  concurrent  transmissions.  Fig.  3.2  depicts  a 
scenario  where  node  A  or  B  is  malicious.  At  this  stage,  we  assume  that  A  is  the  only 
misbehaving  node  and  that  no  other  node  in  its  vicinity  transmits.  We  assume  that  nodes 
have  clocks  that  are  synchronized  through  the  use  of  GPS  devices.  Additional  issues  arising 
from  errors  in  clock  synchronization  are  not  investigated  in  this  work.  Node  A  accesses 
the  channel  by  using  a  randomly  selected  back-off  value  within  its  contention  window. 
When  the  back-off  counter  decreases  to  zero,  A  sends  an  RTS  to  B,  which  replies  with  a 
CTS.  Node  A’s  RTS  message  silences  nodes  1  to  7,  which  are  in  A’s  transmission  radius. 
Similarly,  node  B’s  CTS  silences  nodes  4  to  10.  Following  the  RTS-CTS  handshake,  A 
sends  a  data  segment  to  B.  After  the  transmission  is  over,  A  attempts  to  access  the  channel 
anew  by  selecting  a  back-off  value  again  and  the  procedure  repeats.  Nodes  1-10  can  hear 


15 


the  transmissions  of  nodes  A  or  B,  or  of  both,  depending  on  whose  transmission  radius 


they  reside  in.  Consider  the  i-th  transmission  of  node  A.  A  node  in  its  transmission  range 
finds  time  point  ti  of  RTS  packet  reception  from 

ti  =  Tj_i  +  Tjyjpg  +  bi,  i  >  1,  (3.1) 

where  Tj_i  denotes  the  end  time  point  of  reception  of  the  previous  data  segment  and  bi  is 
the  random  back-off  value.  Thus,  the  back-off  values  can  be  easily  derived.  Note  that  the 
back-off  value  before  transmission  of  the  first  data  segment  cannot  be  found  since  there 
does  not  exist  any  previous  reference  point  to  compare  it  to.  A  node  within  transmission 
range  of  B  can  also  compute  the  back-off  used  by  A  by  using  as  a  reference  the  time  point 
of  reception  of  the  overheard  ACK  from  node  B  for  the  previous  data  segment.  Then,  a 
node  can  measure  time  point  of  CTS  packet  reception  and  compute  the  back-off  of  node 
A  by  using 

=  ^ACK,i-i  +  ^DIFS  +  ^i  +  ^RTS  +  ^SIFS’  *  >  1-  (3-2) 

Similarly  with  the  RTS,  the  first  back-off  value  cannot  be  found.  Clearly,  the  entire 
sequence  of  back-offs  of  node  A  is  observable  in  this  fashion.  It  should  also  be  noted  that 
the  identity  of  the  node  who  uses  those  back-offs  (which  could  be  potentially  a  misbehaving 
one)  is  revealed  in  the  corresponding  fields  of  RTS  or  CTS  messages. 

3.3  Impact  of  interference  on  misbehavior  detection  schemes 

Up  to  this  point,  we  have  assumed  that  both  the  attacker  and  the  detector  observe 
each  back-off  value  and  that  no  errors  are  present.  However,  the  main  characteristic  of 
the  wireless  medium  is  its  unpredictability  and  instability.  Namely,  it  is  not  realistic  to 
assume  that  both  the  attacker  and  the  detector  will  always  obtain  a  perfect  sequence  of 
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back-ofF  values.  It  is  reasonable  to  assume  that  due  to  interference  both  the  adversary 


and  the  IDS  will  obtain  a  mixture  of  correct  and  erroneous  observations  at  certain  points 
of  time.  A  detailed  analysis  of  such  scenarios  and  their  impact  on  the  performance  of 
optimal  attackers  and  detection  schemes  will  be  provided  in  Chapter  6. 

In  order  to  provide  an  insight  into  impact  of  interference  on  the  performance  of 
the  IEEE  802.11  MAC  participants,  we  now  describe  two  scenarios  in  which  observations 
of  nodes  1-3  and  8-9  from  Eig.  3.2  are  hindered  by  interference  and  hence  correctness  of 
observations  is  influenced. 

3.3.1  Interference  due  to  concurrent  transmissions 

Assume  that  node  C  has  obtained  access  to  the  channel  and  therefore  node  2  is 
silenced.  Node  C  is  in  the  process  of  transmitting  data  packets  to  node  D.  If  observer 
node  2  is  within  transmission  range  of  C,  C’s  transmission  is  overheard  by  node  2.  Clearly, 
the  ongoing  transmission  of  C  is  experienced  as  interference  at  node  2  and  obstructs  node 
2’s  observations.  In  case  of  significant  interference  level,  node  2  may  not  be  able  to 
obtain  the  timing  of  received  RTS  of  node  A  and  find  the  back-ofF  value.  Additional 
ongoing  transmissions  increase  the  perceived  interference  level.  Evidently,  obstructed 
measurements  due  to  interference  create  additional  problems  in  detecting  misbehavior,  as 
will  be  seen  in  the  sequel.  The  extent  to  which  observations  of  node  2  are  influenced  by 
interference  depends  on  the  relative  proximity  of  2  to  node  A  and  to  the  interfering  nodes, 
since  the  received  signal  strength  of  the  RTS  packet  and  the  interference  is  a  function  of 
signal  strength  decay  with  distance. 
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3.3.2  Interference  due  to  simultaneous  channel  access 


Node  2  that  is  silenced  by  A’s  RTS  observes  the  sequence  of  back-offs  of  node  A.  If 
node  2  is  in  the  interference  range  of  node  C  and  C  is  out  of  the  interference  range  of  A, 
C  may  attempt  to  access  the  channel  at  the  same  time.  If  the  RTS  packets  from  nodes 
A  and  C  overlap  in  time  when  received  at  node  2,  node  2  receives  a  garbled  packet  and 
cannot  distinguish  neither  the  transmitter  identity  nor  the  packet  reception  time. 

Interference  from  concurrent  data  transmissions  and  simultaneous  channel  access 
also  affects  measurements  of  nodes  within  the  transmission  range  of  node  B.  Both  types 
of  impairments  lead  to  difficulties  in  misbehavior  detection  because  they  cause  corruption 
of  measurements.  The  probability  of  the  second  type  of  impairment  is  admittedly  much 
lower  than  that  of  the  first  type,  since  it  requires  that  nodes  A  and  C  access  the  channel 
almost  at  the  same  time.  Although  this  problem  is  different  from  the  first  one,  we  will 
elaborate  on  obstruction  of  observations  owing  only  to  the  first  scenario. 

A  comment  about  the  effect  of  misbehavior  in  a  network-wide  scale  is  in  place  here. 
Each  node  within  transmission  range  of  a  malicious  node  increases  its  contention  window 
exponentially  after  each  unsuccessful  transmission  attempt.  The  same  holds  for  nodes 
which  are  located  out  of  the  transmitter’s  range  but  are  able  to  transmit  to  nodes  that  are 
silenced  by  the  transmitter  (in  our  case,  nodes  C  and  E).  They  may  constantly  attempt 
to  communicate  with  silenced  nodes  and  consequently  increase  their  contention  windows. 
In  that  respect,  the  effect  of  a  malicious  node  spreads  in  an  area  much  larger  than  their 
transmission  range  and  may  affect  channel  access  of  nodes  throughout  that  area. 

Another  arising  issue  is  the  notification  of  the  rest  of  the  network  about  the  mis¬ 
behavior.  Although  all  nodes  within  transmission  range  of  nodes  A  and  B  above  can 
deduce  potential  misbehavior,  the  nature  of  IEEE  802.11  MAC  protocol  prohibits  them 
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from  obtaining  access  to  the  channel  and  transmitting  notification  information. 
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Chapter  4 

Min-max  robust  misbehavior  detection 
4.1  Introduction 

As  it  has  been  seen  in  Chapters,  a  malicious  or  selfish  node  may  choose  not  to 
comply  to  protocol  rules  by  occasionally  or  constantly  selecting  small  back-off  values.  As 
a  consequence  of  this  modified  access  policy,  such  node  may  gain  significant  advantage 
in  channel  sharing  over  honest  nodes  that  comply  to  the  protocol  rules.  An  additional 
obstacle  in  such  settings  arises  due  to  the  exponential  increase  of  the  contention  window 
after  each  unsuccessful  transmission,  which  decreases  the  chances  of  channel  access  by 
legitimate  protocol  participants. 

Several  frameworks  for  attack  detection  and  preventions  have  been  proposed  in 
recent  years.  However,  as  it  has  been  pointed  out  in  Chapter  2,  none  of  the  proposed 
approaches  considers  intelligent  adaptive  attackers.  More  specifically,  all  known  detection 
schemes  are  constructed  for  detection  and  prevention  of  either  brute  force  or  sub-optimal 
attacks  that  are  focused  against  a  specific  detection  scheme  in  a  specific  adversarial  setting. 
If  we  assume  that  a  specific  attack  strategy  was  constructed  against  a  detection 
algorithm  Vi  deployed  by  an  intrusion  detection  system  ID  Si,  then  the  same  attack 
strategy  becomes  sub-optimal  once  a  new  detection  algorithm  I?2  is  deployed.  This  results 
in  quicker  and  in  most  cases  instantaneous  detection  of  attacks. 

In  this  work  we  present  a  general  framework  for  detection  and  prevention  of  intel¬ 
ligent  adaptive  adversaries.  More  specifically,  we  address  the  problem  of  MAC  protocol 
misbehavior  detection  at  a  fundamental  level  and  cast  it  as  a  min-max  robust  detection 
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problem,  therefore  capturing  both  the  goal  of  the  detection  system  (minimize  detection 
delay)  and  the  goal  of  the  attacker  (maximize  gain) .  The  main  contributions  of  this  work 
are:  (i)  formulation  of  the  misbehavior  problem  as  a  min-max  robust  sequential  detection 
problem  that  encompasses  the  case  of  a  sophisticated  attacker,  (ii)  quantification  of  perfor¬ 
mance  losses  incurred  by  an  attack  and  definition  of  an  uncertainty  class  that  focuses  only 
on  attacks  that  incur  “large  enough”  performance  losses,  (iii)  derivation  of  an  analytical 
expression  for  the  worst-case  attack  and  the  number  of  observations  required  for  attack 
detection,  (iv)  establishment  of  an  upper  bound  on  number  of  required  samples  needed 
for  detection  of  any  of  the  attacks  of  interest. 

4.2  Problem  motivation  and  sequential  detection 

At  this  point  we  revisit  the  setup  presented  in  Fig.  3.2  and  focus  on  monitoring 
the  behavior  of  node  A  for  the  single-hop  communication  with  node  B.  We  assume 
that  any  node  within  the  transmission  range  of  A  or  S  observes  the  same  sequence  of 
measurements  of  back-off  values  used  by  A.  Since  the  sequence  of  observations  is  the 
same,  the  procedure  that  will  be  described  in  the  sequel  can  take  place  in  any  of  the 
observer  nodes.  Since  the  back-off  measurements  are  enhanced  by  an  additional  sample 
each  time  A  attempts  to  access  the  channel,  an  on-line  sequential  scheme  is  suitable  for 
the  nature  of  the  problem.  The  basis  of  such  a  scheme  is  a  sequential  detection  test  that 
is  implemented  at  an  observer  node.  The  objective  of  the  detection  test  is  to  derive  a 
decision  as  to  whether  or  not  a  misbehavior  occurs  as  fast  as  possible,  namely  with  the 
least  possible  number  of  observation  samples.  Since  the  observation  samples  are  random 
variables,  the  number  of  required  samples  for  taking  a  decision  is  a  random  variable  as 
well. 
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A  sequential  detection  test  is  a  procedure  which  with  every  new  information  that 


arrives  asks  the  question  whether  it  should  stop  receiving  more  samples  or  continue  sam¬ 
pling.  If  the  answer  to  the  first  question  is  to  stop  (because  sufficient  information  has 
been  accumulated)  then  it  proceeds  to  the  phase  of  making  a  decision  on  the  nature  of  the 
data.  It  is  therefore  clear  that  there  are  two  quantities  involved:  a  stopping  time  (s.t.)  N 
which  is  a  random  variable  taking  positive  integer  values  and  denoting  the  time  we  decide 
to  stop  getting  more  data;  and  a  decision  rule  which  at  the  time  of  stopping  N  decides 
between  the  two  hypotheses  Ho,Hi  and  therefore  assumes  the  values  0,1-  For  simplicity, 
let  us  denote  with  V  the  combination  V  =  {N,  dj\f)  of  the  s.t.  N  and  the  decision  rule  d^- 
The  probability  of  false  alarm  and  the  probability  of  missed  detection  constitute 
inherent  tradeoffs  in  a  detection  scheme.  Clearly,  we  can  obtain  small  values  for  both  of 
these  two  decision  error  probabilities  by  accumulating  more  information,  that  is,  at  the 
expense  of  larger  detection  delay.  A  logical  compromise  would  therefore  be  to  prescribe 
some  maximal  allowable  values  for  the  two  error  probabilities,  and  attempt  to  minimize 
the  expected  detection  delay.  Expressing  this  problem  under  a  more  formal  setting,  we 
are  interested  in  finding  a  sequential  test  D  =  (N,  djsf)  that  solves  the  following  constraint 
optimization  problem 

inf  IEi[A'],  under  the  constraints  Po[diV  =  1]  <  a;  Pi[(i7v  =  0]  <  /?;  (4.1) 

N,d{^ 

where  P*,  Ej  denote  probability  and  expectation  under  hypothesis  Hj,  i  =  0, 1,  and  0  < 
a,  (3  <  1  are  the  prescribed  values  for  the  probability  of  false  alarm  and  miss  respectively. 

This  mathematical  setup  was  first  proposed  by  Wald  in  [17] ,  where  he  also  introduced 
the  Sequential  Probability  Ratio  Test  (SPRT)  for  its  solution.  The  SPRT  test  is  defined 
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in  terms  of  the  log-likelihood  ratio  Sn 


C  _1 
Sfi  —  In 

fo{Xi,  ...,Xn) 


(4.2) 


of  the  two  joint  probability  density  functions  fi{xi, . . . ,  Xn)  of  the  data  {xi, . . . ,  Xn}  under 
hypothesis  Hj,  i  =  0, 1.  The  corresponding  s.t.  N  and  decision  rule  cIn  are  then  given  by 


N 


dN 


inf{n  :  Sn  ^  [A,B] 

n 

/ 

1  if  57V  >  S 

< 

0  if  57V  <  A 


(4.3) 

(4.4) 


where  thresholds  A  <  0  <  B  depend  on  the  specified  values  of  P^a  and  Pm-  From  Wald’s 
identity  [17] 


E[57v]  =  E[N]  X  E[A] 


(4.5) 


where  E[A]  is  the  expected  value  of  the  logarithm  of  the  likelihood  ratio.  By  using  a 
similar  approach  as  the  one  in  [18,  pp. 339-340],  we  can  derive  the  following  inequalities 


1  -  Pm  >  e^PpA  and  Pm  <  e^(l  -  Pfa), 


(4.6) 


where  a  and  b  are  the  thresholds  of  SPRT.  When  the  average  number  of  required  obser¬ 
vations  is  very  large,  the  increments  Aj  in  the  logarithm  of  the  likelihood  ratio  are  also 
small.  Therefore,  when  the  test  terminates  with  selection  of  hypothesis  Hi,  Si\f  will  be 
slightly  larger  than  a,  while  when  it  terminates  with  selection  of  Hq,  Sn  will  be  very  close 
to  b.  Therefore,  the  above  inequalities  hold  to  a  good  approximation  as  equalities.  Under 
this  assumption,  the  decision  levels  a  and  b  that  are  required  for  attaining  performance 
{PpA,  Pm)  are  given  by, 

a  =  In  ^  and  6  =  In  — — — .  (4.7) 

PpA  1  -  PpA 
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Following  the  derivations  of  [17,  18] 


E[Sn]  =  aPn  +  6(1  -  Pd) 


(4.8) 


where  Pd  =  1  —  Pm  is  the  probability  of  detection  of  SPRT.  By  substituting  the  above 
equation  into  Eq.  (4.5)  and  utilizing  the  fact  that  E[5Ar]  =  const  =  C  for  a  given  IDS  with 
fixed  Pd  and  Pm^  the  following  expression  for  detection  delay  is  derived: 


E[iV]  = 


E[Sn] 


c 


In 

JO 


(4.9) 


E[A]  ]£ 

We  can  see  that  the  SPRT  test  continues  sampling  as  long  as  the  log-likelihood 
ratio  takes  values  within  the  interval  {A,  B)  and  stops  taking  more  samples  the  first  time 
it  exceeds  it.  Once  stopped,  the  decision  function  decides  in  favor  of  hypothesis  Hi 
when  Sm  exceeds  the  largest  threshold  and  in  favor  of  Hq  when  Stv  is  below  the  smallest 
threshold.  If  in  particular  the  data  are  independent  and  identically  distributed  (i.i.d.) 
under  both  hypotheses  then  the  log-likelihood  ratio  Sn  takes  the  following  simple  form 


=  Vln  =  Sn-1  +  In  So  =  0.  (4.10) 

^  h{Xk)  k{Xn) 

Here  fi{x)  is  the  common  probability  density  function  (pdf)  of  the  samples  under  hypoth¬ 
esis  Hj,  i  =  0, 1.  Notice  that  the  recurrent  relation  on  the  right  hand  side  of  Eq.(4.10) 
allows  for  an  efficient  computation  of  the  statistics  Sn  which  requires  only  constant  num¬ 
ber  of  operations  per  time  step  and  finite  memory  (we  only  need  to  store  Sn  as  opposed 
to  the  whole  sequence  {xn, . . . ,  xi}). 

Optimality  of  SPRT  in  the  sense  described  in  (4.1)  is  assured  only  when  the  data  are 
i.i.d.  under  both  hypotheses  [19].  Por  other  data  models  there  exists  a  very  rich  literature 
referring  to  asymptotic  optimality  results  (see  for  example  [20]).  Concluding,  we  should 
also  mention  that  the  actual  optimality  of  SPRT  is  significantly  stronger  than  the  one 
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mentioned  in  (4.1).  The  SPRT  not  only  minimizes  the  average  delay  under  Hi  but  also 
simultaneously  minimizes  the  alternative  average  delay  Eo[A^].  This  double  optimality 
property  is  rather  remarkable  and  not  encountered  in  any  other  detection  scheme. 

It  is  clear  from  the  previous  discussion  that  our  intention  is  to  follow  a  sequential 
approach  for  the  detection  of  attacks.  It  is  important  to  notice  that  in  order  to  be  able  to 
use  the  SPRT  it  is  necessary  to  specify  both  probability  density  functions  fi{x),  i  =  0, 1 
under  the  two  hypotheses.  Although  the  pdf  fo{x)  of  a  legitimate  node  is  known,  this 
is  not  the  case  for  an  attacker.  Furthermore,  specifying  a  candidate  density  /i(x)  for  an 
attacker  without  some  proper  analysis  may  result  in  serious  performance  degradation  if 
the  attacker’s  strategy  diverges  from  our  selection. 

In  order  to  be  able  to  propose  a  specific  detection  rule  we  need  to  clarify  and 
mathematically  formulate  the  notion  of  an  “attack”.  We  should  however  place  our  main 
emphasis  to  attacks  that  incur  large  gains  for  the  attacker  (result  in  higher  chances  of 
channel  access).  An  attack  will  then  have  devastating  effects  for  the  network,  in  the  sense 
that  it  would  deny  channel  access  to  the  other  nodes  and  would  lead  to  unfair  sharing  of 
the  channel.  Besides,  if  we  assume  that  the  detection  of  an  attack  is  followed  by  commu¬ 
nication  of  the  attack  event  further  in  the  network  so  as  to  launch  a  network  response,  it 
would  be  rather  inefficient  for  the  algorithm  to  consider  less  significant  (and  potentially 
more  frequent)  attacks  and  initiate  responses  for  them.  Instead,  it  is  meaningful  for  the 
detection  system  to  focus  on  encountering  the  most  significant  attacks  and  at  the  same 
time  not  to  consume  resources  of  any  kind  (processor  power,  energy,  time  or  bandwidth) 
for  dealing  with  attacks  whose  effect  on  performance  is  rather  marginal. 
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4.3  Min-max  robust  detection:  definition  of  uncertainty  class 


Previously,  we  stressed  the  sequential  nature  of  our  approach  and  the  implicit  need 
to  consider  most  significant  attacks.  The  approach  should  also  cope  with  the  encountered 
(statistically)  uncertain  operational  environment  of  a  wireless  network,  namely  the  random 
nature  of  protocols  and  the  unpredictable  misbehavior  or  attack  instances.  Hence,  it  is 
desirable  to  rely  on  robust  detection  rules  that  would  perform  well  regardless  of  uncertain 
conditions.  In  this  work,  we  adopt  the  min-max  robust  detection  approach  where  the  goal 
is  to  optimize  performance  for  the  worst-case  instance  of  uncertainty.  More  specifically, 
the  goal  is  to  identify  the  least  favorable  operating  point  of  a  system  in  the  presence  of 
uncertainty  and  subsequently  find  the  strategy  the  optimizes  system  performance  when 
operating  in  that  point.  In  our  case,  the  least  favorable  operating  point  corresponds  to  the 
worst-case  instance  of  an  attack  and  the  optimal  strategy  amounts  to  the  optimal  detection 
rule.  System  performance  is  measured  in  terms  of  number  of  required  observation  samples 
to  derive  a  decision. 

A  basic  notion  in  min-max  approaches  is  that  of  a  saddle  point.  A  strategy  (detection 
rule)  T)*  =  (N*,d'^)  and  an  operating  point  (attack)  in  the  uncertainty  class  form  a 
saddle  point  if: 

1.  For  the  attack  f^,  any  detection  rule  D  other  than  D*  has  worse  performance. 
Namely  D*  is  the  optimal  detection  rule  for  attack  in  terms  of  minimum  (average) 
number  of  required  observations. 

2.  For  the  detection  rule  P*,  any  attack  fi  from  the  uncertainty  class,  other  than 
gives  better  performance.  Namely,  detection  rule  P*  has  its  worst  performance  for 
attack  fi. 
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Implicit  in  the  min-max  approach  is  the  assumption  that  the  attacker  has  full  knowl¬ 


edge  of  the  employed  detection  rule.  Thus,  it  can  create  a  misbehavior  strategy  that  max¬ 
imizes  the  number  of  required  samples  for  misbehavior  detection  delaying  the  detection 
as  much  as  possible.  Therefore,  our  approach  refers  to  the  case  of  an  intelligent  attacker 
that  can  adapt  its  misbehavior  policy  so  as  to  avoid  detection.  One  issue  that  needs  to  be 
clarified  is  the  structure  of  this  attack  strategy.  Subsequently,  by  deriving  the  detection 
rule  and  the  performance  for  that  case,  we  can  obtain  an  (attainable)  upper  bound  on 
performance  over  all  possible  attacks. 

4.3.1  Problem  description  and  assumptions 

According  to  the  IEEE  802.11  MAC  standard,  the  back-off  for  each  legitimate  node  is 
selected  from  a  set  of  values  in  a  contention  window  interval  based  on  uniform  distribution. 
The  length  of  contention  window  is  2* IT  for  the  ith  retransmission  attempt,  where  IT  is 
the  minimum  length  of  the  contention  window.  In  general,  some  back-off  values  will  be 
selected  uniformly  from  [0,  IT]  and  others  will  be  selected  uniformly  from  intervals  [0, 2* IT] , 
for  i  =  l,...,/max  where  luiax  is  the  maximum  number  of  re-transmission  attempts. 
Without  loss  of  generality,  we  can  scale  down  a  back-off  value  that  is  selected  uniformly  in 
[0,2* IT]  by  a  factor  of  2*,  so  that  all  back-offs  can  be  considered  to  be  uniformly  selected 
from  [0,  IT].  We  now  present  the  problem  and  justify  the  above  assumptions. 

Assume  each  station  generates  a  sequence  of  random  back-offs  Xi,X2,  ■  ■  ■  ,Xi  in 
order  to  access  the  channel.  The  back-off  values  of  each  legitimate  protocol  participant 
are  then  distributed  according  to  the  pdf  fo{x),  which  is  specified  by  the  MAC  layer 
protocol.  Eurthermore,  the  pdf  of  the  misbehaving  participants  is  unknown  to  the  system 
and  is  denoted  with  fi{x). 
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We  assume  that  a  detection  agent  (e.g.,  the  access  point)  monitors  and  collects  the 
back-ofF  values  of  a  given  station.  It  is  important  to  note  that  observations  are  not  per¬ 
fect  and  can  be  hindered  by  concurrent  transmissions  or  external  sources  of  noise.  It  is 
impossible  for  a  passive  monitoring  agent  to  know  the  internal  exponential  back-ofF  stage 
of  a  given  monitored  station  due  to  collisions,  or  to  the  fact  that  a  station  might  not  have 
anything  to  transmit.  Furthermore,  in  practical  applications  the  number  of  false  alarms 
in  anomaly  detection  schemes  is  very  high.  Consequently,  instead  of  building  a  “nor¬ 
mal”  profile  of  network  operation  with  anomaly  detection  schemes,  we  utilize  specification 
based  detection.  In  our  setup  we  identify  “normal”  (i.e.,  a  behavior  consistent  with  the 
IEEE  802.11  specification)  profile  of  a  backlogged  station  in  the  IEEE  802.11  without  any 
competing  nodes,  and  notice  that  its  back-ofF  process  Xi,  X2,  ■  ■  ■ ,  Xi  can  be  characterized 
with  pdf  fo{xi)  =  1/(IF  -|-  1)  for  x*  G  {0, 1, ... ,  W}  and  zero  otherwise.  We  claim  that 
this  assumption  minimizes  the  probability  of  false  alarms  due  to  imperfect  observations. 
At  the  same  time,  a  safe  upper  bound  on  the  amount  of  damaging  effects  a  misbehaving 
station  can  cause  to  the  network  is  maintained. 

Although  our  theoretical  results  utilize  the  above  expression  for  /o,  the  experimental 
setting  utilizes  the  original  implementation  of  the  IEEE  802.11  MAC.  In  this  case,  the 
detection  agent  needs  to  deal  with  observed  values  of  Xj  larger  than  IF,  which  can  be  due 
to  collisions  or  due  to  the  exponential  back-ofF  specification  in  the  IEEE  802.11. 

4.3.2  Adversary  model 

We  assume  that  the  adversary  has  full  control  over  the  pdf  /i(x)  and  the  back- 
ofF  values  it  generates.  In  addition  to  that,  we  assume  that  the  adversary  is  intelligent, 
i.e.  the  adversary  knows  everything  the  detection  agent  knows  and  can  infer  the  same 
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conclusions  as  the  detection  agent.  As  it  has  already  been  mentioned,  this  assumption 


enables  the  detector  to  obtain  the  upper  bound  on  the  detection  delay.  In  this  work  we 
consider  continuously  back-logged  nodes  that  always  have  packets  to  send.  Thus,  the  gain 
of  the  adversary  Q  is  signified  by  the  percentage  of  time  in  which  it  obtains  access  to  the 
medium.  This  in  turn  depends  directly  on  the  relative  values  of  back-offs  used  by  the 
attacker  and  by  the  legitimate  nodes.  In  particular,  the  attacker  competes  with  the  node 
that  has  selected  the  smallest  back-off  value  out  of  all  nodes. 

In  order  to  derive  an  expression  for  the  gain  of  the  adversary,  we  first  need  to 
compute  the  probability  Pi  of  the  adversary  to  access  the  channel  as  a  function  of  the 
pdfs  /i(.)  and  /o(.).  Following  the  IEEE  802.11  protocol,  the  back-off  counter  of  any 
node  freezes  during  the  transmissions  and  reactivates  during  free  periods.  Therefore,  let 
us  observe  the  back-off  times  during  a  fixed  period  T  that  does  not  include  transmission 
intervals.  Consider  first  the  case  of  one  misbehaving  and  one  legitimate  node  and  assume 
that  within  the  time  period  T,  we  observe  Xi, . . .  ,X]\f,  N  samples  of  the  attacker’s  back¬ 
off  and  Yi, . . .  ,Ym,  M  samples  of  the  legitimate  node’s  back-offs.  It  is  then  clear  that 
the  attacker’s  percentage  of  accessing  the  channel  during  the  period  T  is  N/(N  +  M).  In 
order  to  obtain  the  desired  probability  we  simply  need  to  compute  the  limit  of  this  ratio 
as  T  ^  oo.  Notice  that 


Ai  -I-  •  •  •  -I-  Xn  <T  <  Ai  -I - h  Xn+1 

Ti  Ym  <  T  <  Ti  1m -1-1; 


which  yields 


N  N  A^-l-l 

Xi-\ - hA^iv  ^  T  ^  A^-t-1  Xi-\ - 

1v  N+i  I  M  M+I  —  N  I  M  —  N  I  M 

N+l  Ai-r--rAjv+i  “T  M+l  Yi+-+Ym-ii  T  “T  T  Xi+-+Xm  Yi+-+Ym 


(4.11) 


Letting  T  ^  oo  results  in  A",  M  ^  oo  and  from  the  previous  double  inequality,  by  applying 
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the  Law  of  Large  Numbers,  we  conclude  that 


Pi  =  lim 


lim  ^  _ 

nM^ooN  +  M  + 


(4.12) 


Using  exactly  similar  reasoning  the  probability  Pi,  for  the  case  of  one  misbehaving  node 
against  n  legitimate  ones,  takes  the  form 


I  n  T  I  El  [X] 

“T  ic.rvi  1  +  n  r  k  J 


Ei[X]  ^  Eo[y] 


1  +  n 


2Ei[X]  ’ 


(4.13) 


where  in  the  last  equality  we  have  used  the  fact  that  the  average  back-off  of  a  legitimate 
node  is  lU/2  (because  /o  is  uniform  in  [0,  VP]). 

If  the  attacker  were  legitimate  then  Ei[X]  =  Eo[U]  and  his  probability  of  accessing 
the  channel,  from  Eq.  (4.13),  would  have  been  l/(n-|-l).  It  is  therefore  clear  that  whenever 


Ei[X]  =  eEo[E],  with  e  G  (0, 1) 


(4.14) 


the  attacker  enjoys  a  gain  as  compared  to  any  legitimate  node  since  then 


1  1  1  -|-  n 

Pi  =  7? — —  >  — — ,  where  r/=— -  G(l,n-hl). 

n-|-l  n-|-l  1-1- en 


(4.15) 


In  other  words  his  probability  of  accessing  the  channel  is  greater  than  the  corresponding 
probability  of  any  legitimate  node  by  a  factor  rj  >  1. 

Using  the  simple  modelling  introduced  in  the  previous  paragraph  we  are  now  able 
to  quantify  the  notion  of  an  “attack” .  Let  r/  be  a  quantity  that  satisfies  1  <  r]  <  n  +  1  and 
consider  the  class  of  all  pdfs  that  induce  a  probability  Pi  of  accessing  the  channel  that 
is  no  less  than  r)/{n  +  1).  Using  Eq.  (4.14)  and  Eq.  (4.15),  the  class  Tr/  can  be  explicitly 
defined  as 


/  xfi{x)dx<  - l<r]<n+l.  (4.16) 

I  4o  2  I 
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This  class  includes  all  possible  attacks  for  which  the  incurred  relative  gain  exceeds  the 
legitimate  one  by  {rj  —  1)  x  100%.  The  class  is  the  uncertainty  class  of  the  robust 
approach  and  ry  is  a  tunable  parameter.  Notice  from  Eq.  (4.15)  that  since  Pi  is  a  probability 
the  gain  factor  ry  must  not  exceed  n  +  1  in  order  for  the  previous  inequality  to  produce  a 
nonempty  class 

By  defining  the  class  we  imply  that  the  detection  scheme  should  focus  on  attacks 
with  larger  impact  to  system  performance  and  not  on  small-scale  or  short-term  attacks. 
We  define  the  severity  of  the  attack  by  changing  the  gain  factor  ry.  Values  of  ry  larger  but 
close  to  1  are  equivalent  to  low-impact  attacks  whereas  values  significantly  larger  than  1 
are  equivalent  to  DoS  attacks. 

We  note  that  each  system  will  have  different  tolerance  levels  for  different  behaviors 
and  consequently  the  class  .7%  cannot  be  universally  defined.  We  say  that  a  system  S 
is  robust  against  a  class  of  attacks  if  its  IDS  can  detect  an  adversary  A  G  !Fn  with 
detection  delay  (or  N  if  the  delay  is  measured  in  observed  number  of  samples),  while 
maintaining  the  performance  level  of  the  system  above  the  pre-defined  threshold  Vt-  The 
parameters  T  and  Vt  are  not  fixed  and  vary  depending  on  how  strict  security  is  required 
in  a  given  system.  A  system  S  is  optimal  if  its  IDS  is  capable  of  constructing  a  universal 
detection  strategy  that  minimizes  the  detection  delay  for  the  worst-case  attack  scenario. 
We  now  formally  define  a  robust  IDS. 

Definition  4.3.1.  An  IDS  is  robust  against  a  class  of  attacks  Vrj,  if  it  can  detect  any 
adversary  A  G  Vri  with  detection  delay  <  T^c,  where  T^c  is  the  detection  delay  for  which 
the  performance  level  of  legitimate  protocol  participants  falls  below  the  pre-defined  threshold 
Vt,  while  maintaining  the  pre-defined  probability  of  false  alarms  PpA  o,nd  probability  of 
miss  Pm- 
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In  the  light  of  the  previously  defined  J-n,  it  is  now  possible  to  formally  define  ca¬ 
pabilities  of  the  adversary.  We  assume  the  adversary  has  full  control  over  his  actions.  In 
order  to  describe  the  capabilities  of  the  attacker  we  define  a  feasible  class  of  attacks  J- 
that  describes  his  probable  set  of  actions.  In  addition  to  that,  we  assume  that  for  each 
attack  strategy  G  T  there  exists  an  associated  gain  of  the  adversary  Q.  If  there  exist  k 
possible  attack  strategies  within  the  given  class  !F,  then  the  strategy  corresponds  to 
legitimate  behavior  and  the  strategy  As^  corresponds  to  the  DoS  attack.  Consequently, 
each  of  the  strategies  results  in  gains  Gi  and  Gk  respectively. 

We  assume  the  objective  of  the  adversary  is  to  design  an  access  policy  which  max¬ 
imizes  his  gain  Q  over  the  defined  period  of  time,  while  minimizing  the  probability  of 
detection,  Pd.  If  the  adversary  is  malicious,  his  goal  is  to  minimize  the  gain  of  the  other 
participants.  On  the  other  hand,  a  greedy  adversary  attempts  to  maximize  his  own  gain, 
which  may  or  may  not  result  in  minimizing  the  gain  of  the  other  participants.  We  now 
formally  define  the  notion  of  an  intelligent  adversary. 

Definition  4.3.2.  An  adversary  A  is  intelligent  if,  given  a  set  of  attaek  strategies  G  T , 
it  is  always  eapable  to  ehoose  an  appropriate  strategy  .A5. ,  i  =  1, . . . ,  k  that  minimizes  the 
probability  of  deteetion  Pd  for  a  given  gain  Qi,  i  =  1, . . . ,  fc. 

4.4  Min-max  robust  detection;  derivation  of  the  worst-case  attack 

Hypothesis  Hq  concerns  legitimate  operation  and  thus  the  corresponding  pdf  fo{x), 
as  was  mentioned  before,  is  the  uniform  one.  Hypothesis  Hi  corresponds  to  misbehavior 
with  unknown  pdf  fi{x)  G  Prj- 

The  objective  of  a  detection  rule  is  to  minimize  the  number  of  the  required  obser¬ 
vation  samples  N  so  as  to  derive  a  decision  regarding  the  existence  or  not  of  misbehavior. 
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The  performance  of  a  detection  scheme  is  quantified  by  the  average  number  of  samples 
Ei[A^]  needed  until  a  decision  is  reached,  where  the  average  is  taken  with  respect  to  the 
distribution  /i(x)  employed  by  the  attacker.  This  expectation  is  clearly  a  function  of  the 
adopted  detection  rule  V  and  the  pdf  /i(x),  that  is, 

Ei[iV]  =  0(P,/i).  (4.17) 

Let  denote  the  class  of  all  sequential  tests  for  which  the  false  alarm  and  missed 
detection  probabilities  do  not  exceed  some  specified  levels  a  and  [3  respectively.  Consider 
also  the  class  of  densities  /i(x)  as  in  (4.16)  for  some  prescribed  gain  factor  ry  >  1.  In  the 
context  of  the  min-max  robust  detection  framework,  the  goal  is  to  optimize  performance 
in  the  presence  of  worst-case  attack,  that  is,  solve  the  following  min-max  problem 

inf  sup  (j){V,fi).  (4.18) 

^er,,/3 

Solving  a  min-max  problem  is  usually  complicated,  unless  one  can  obtain  a  saddle 
point  solution. 

Definition  4.4.1.  A  pair  {V*,  f^)  is  called  a  saddle  point  of  the  function  4>  if 

4>{V\  h)  <  4>{V\  ff)  <  cf{v,  ff);  VP  G  v/i  g  (4.19) 

As  we  can  see  a  saddle  point  (T>*,ff)  of  (j)  consists  of  a  detection  scheme  P*  and 
an  attack  distribution  ff.  Equation  (4.19)  is  a  formal  statement  of  properties  1  and  2 
that  were  mentioned  in  Section  4.3.  The  property  that  is  important  here  in  connection  to 
the  min-max  problem  (4.18)  is  the  fact  that  the  saddle  point  pair  (P*,  ff)  also  solves  the 
min-max  problem,  since  one  can  prove  that  [21] 

inf  sup  (/>(P,/i)  >  sup  (/>(P*,/i)  =  (/>(P*,/i*).  (4.20) 
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Saddle  point  solutions  are  much  easier  to  obtain  than  their  min-max  counterparts.  Un¬ 
fortunately  saddle  point  solutions  do  not  always  exist.  In  view  of  Eq.  (4.20),  instead  of 
solving  Eq.  (4.18)  it  is  sufficient  to  find  the  saddle  point  that  solves  Eq.  (4.19).  The  saddle 
point  pair  (T>*,f^)  is  specified  in  the  next  theorem. 


Theorem  4.4.2.  Let  the  gain  faetor  rj  £  (l,n-|-  1)  and  the  maximal  allowable  deeision 
error  probabilities  a,  (3  be  given.  Then  the  pair  whieh  asymptotically  (for  small 

values  of  a,  (3)  solves  the  saddle  point  problem  defined  in  (4-19)  is  the  following 

.Ml-#) 


y  e^ 


W  -1 


(4.21) 


where  y>t)is  the  solution  to  the  following  equation  in  y 


,  1  1 

2  ( - 

^y  e^^  —  1 


1 _ 2_ 

^  n+l 


n 


n+l 


(4.22) 


The  eorresponding  deeision  rule  V*  =  {N*,dN*)  is  the  SPRT  test  that  diseriminates  be¬ 
tween  f({x)  and  fo{x)(the  uniform  density)  and  is  given  by 


S*  =  S*  -I-  in 

Jo{Xn) 

=  s*_,+y(l-^ 


iV*  =  ml{n:S*^[A,B]} 

n 

dN*  =  1 


in 


ei^  -1 


;  5o*  =  0. 


1  if  Sf,>B 


0  if  Sf,<  A. 
Proof.  We  first  note  that  (4.22)  is  equivalent  to 


(4.23) 

(4.24) 

(4.25) 


1 - ^  w 

/  xff{x)dx= - (4.26) 

Jo  2 

which  assures  that  fi{x)  defined  in  (4.21)  is  a  member  of  the  uncertainty  class  Let  us 
now  demonstrate  that  for  any  gain  factor  rj  G  (1,  n  -|-  1)  there  always  exists  y  G  (0,  oo)  so 
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that  (4.22)  is  true.  Notice  that  for  r/  G  (l,n  +  l)  we  have  that  l/(n  +  l)  <  r//(n+l)  <  1.  If 


we  now  call  =  2  then  is  a  continuous  function  of  /x.  Furthermore  we 

observe  that  ^(0)  =  1  >  r//(n  +  l);  while  one  can  show  that  lim^^oo  =  0  <  r//(n  +  l). 
Since  we  can  find  two  values  of  jj,  one  yielding  a  smaller  and  another  a  larger  value  than 
r//(n  +  1),  due  to  continuity,  we  can  argue  that  there  exists  /U  >  0  such  that  the  equality 
in  (4.22)  is  assured.  In  fact  this  /x  is  unique  since  it  is  also  possible  to  show  that  <?(/u)  is 
strictly  decreasing. 

Let  us  now  proceed  to  the  saddle  point  problem  given  by  Eq.  (4.19).  We  observe 
that  the  right  hand  side  of  the  inequality  suggests  that  V*  must  be  the  optimum  detection 
structure  for  fi{x).  Indeed,  this  is  how  V*  is  defined,  since  it  is  selected  as  the  SPRT  test 
that  optimally  discriminates  between  fi{x)  and  the  uniform  fo{x). 

In  order  to  show  that  the  left  hand  side  is  also  true,  we  adopt  an  asymptotic  ap¬ 
proach.  By  considering  that  the  two  maximal  error  probabilities  a,  are  small,  it  is 
possible  to  use  efficient  approximations  for  the  two  thresholds  A,  B  and  the  average  de¬ 
tection  delay  function  (p(T>*,fi).  Specifically,  from  [17]  we  have  that  A  and  B  can  be 
approximated  as 

A  =  ln^^,  B  =  ln^^,  (4.27) 

1  —  a  a 


and  the  expected  delay  by  the  expression 


</>(^*,/i)  = 


Ap  +  B{l-P) 


(4.28) 


C  ln^/i(x)dx 

In  fact  these  formulas  become  exact  if  the  SPRT  statistics  5*  hits  exactly  (does  not 
overshoot)  the  two  thresholds  A,  B  at  the  time  of  stopping.  This  for  example  happens  in 
continuous-time  and  continuous-path  processes. 

Since  the  numerator  in  the  previous  formula  is  constant,  the  left  hand  side  inequality 
in  (4.19)  is  true  if  the  denominator  in  Eq.  (4.28)  is  minimized  for  /i(x)  =  fi{x).  Because 
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we  consider  fi{x)  G  inequality  (4.16)  applies,  therefore  we  can  write 


fli^)  f  f  X  , 
fo{x) 


> 


(4.29) 


where  for  the  first  inequality  we  used  (4.16)  and  for  the  last  two  equalities  we  used 
(4. 21), (4. 26).  This  concludes  the  proof.  □ 


Regarding  Theorem  4.4.2  we  would  like  to  point  out  that  our  selection  of  fi{x)  was 
in  fact  the  outcome  of  a  rigorous  analysis.  We  basically  used  the  additional  property 
enjoyed  by  the  saddle  point  solution  to  solve  not  only  the  min-max  problem  in  (4.18)  but 
also  its  max-min  version 

sup  inf  (pCDJi).  (4.30) 

/ie.F^  ^er„./3 

It  turns  out  that  this  latter  problem  can  be  solved  directly  (using  standard  variational 
techniques),  thus  providing  us  with  a  suitable  candidate  pdf  fi{x)  for  the  saddle  point 
problem  (4.20).  Of  course  we  then  need  to  go  through  the  preceding  proof  in  order  to 
establish  that  /j^(x)  is  indeed  the  correct  pdf. 

As  it  was  mentioned  above,  the  min-max  robust  detection  approach  captures  the 
case  of  an  intelligent  adaptive  attacker.  The  SPRT  algorithm  is  part  of  the  intrusion 
detection  system  module  that  resides  at  an  observer  node.  With  the  method  outlined  in 
this  chapter,  an  observer  node  monitors  the  behavior  of  another  node  with  the  objective  to 
derive  a  decision  as  fast  as  possible.  In  other  words,  the  observer  (and  hence  the  system) 
attempts  to  minimize  the  number  of  required  samples  so  as  to  improve  its  payoff  in  terms 
of  improved  chances  for  channel  access.  On  the  other  hand,  an  intelligent  attacker  that 
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knows  the  detection  algorithm  attempts  to  delay  this  decision  as  much  as  possible  so  as 
to  increase  his  own  benefit  in  terms  of  chances  for  channel  access.  The  attacker  aims  at  a 
strategy  that  causes  performance  degradation  for  other  nodes  by  remaining  undetected. 

At  this  point,  an  additional  comment  regarding  the  adversary  assumptions  is  in 
place.  In  this  specific  setting  we  assume  that  the  adversary  is  aware  that  an  IDS  is 
using  the  SPRT  as  a  detection  strategy  and  will  stop  misbehaving  before  it  is  detected. 
Although  this  may  seem  as  a  disadvantage,  it  is  actually  not.  The  optimal  IDS  forces  and 
adversary  to  either  (i)  occasionally  follow  the  protocol  rules  and  shift  below  the  threshold 
B;  (ii)  apply  a  mild  misbehavior  strategy  that  is  below  the  threshold  B  at  all  times  or  (hi) 
relocate  as  soon  as  the  threshold  B  is  approached.  In  (i)  and  (ii)  the  attacker  has  to  stop 
misbehaving  or  compromise  with  achieving  a  very  mild  advantage  over  other  participants. 
In  case  (hi)  the  deployment  of  an  optimal  IDS  forces  an  adversary  to  relocate  frequently, 
therefore  increasing  the  cost  of  launching  an  attack.  It  is  important  to  note  that  the 
relocation  space  of  an  adversary  is  not  infinite,  i.e.  a  greedy  user  has  to  send  packets  to 
another  node.  Unless  there  is  a  set  of  collaborating  adversaries,  an  adversary  that  chooses 
to  employ  aggressive  misbehavior  policy  will  be  quickly  detected. 

4.5  Experimental  evaluation  of  optimal  attack  strategies 

In  this  section  we  perform  experimental  evaluation  of  optimal  attack  strategies  de¬ 
rived  in  the  previous  section.  The  goal  of  the  evaluation  is  to  assess  the  performance  of 
our  approach  and  identify  the  relative  impact  of  different  system  parameters  on  it.  In 
order  to  evaluate  the  detection  delay  of  our  detection  scheme  against  a  specific  class  of 
attacks,  the  performance  is  measured  in  terms  of  the  average  required  number  of  obser¬ 
vation  samples,  E[A^]  in  order  to  derive  a  decision,  which  essentially  denotes  the  delay  in 
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detecting  a  misbehavior  instance.  In  addition  to  that,  we  investigate  the  influence  of  the 
number  of  regular  participants  on  the  form  of  the  least  favorable  distribution  fi{x). 

Parameter  rj  defines  the  class  of  attacks  of  interest  since  it  specifies  the  incurred 
relative  gain  of  the  attacker  in  terms  of  the  probability  of  channel  access.  In  that  sense, 
rj  can  be  interpreted  as  a  sensitivity  parameter  of  the  detection  scheme  with  respect  to 
attacks,  which  is  determined  according  to  the  IDS  requirements.  IEEE  802.11  MAC  is 
implemented  and  MATLAB  is  used  to  evaluate  the  performance  of  our  scheme,  taking 
into  account  the  sequence  of  observed  back-offs. 

In  Eig.4.1  we  present  the  form  of  the  least  favorable  attack  pdf  /i  (x)  as  a  function 
of  the  gain  factor  r]  and  the  number  of  legitimate  nodes  n. 


Eigure  4.1:  Eorm  of  least  favorable  pdf  fi{x):  a)  number  of  legitimate  nodes  n  =  2,  1 
malicious  node  and  gain  factor  r]  =  1,1.5, 2, 2.5;  b)  gain  factor  rj  =  1.5  and  number  of 
legitimate  nodes  n  =  1, 2,  5,  oo;  c)  absolute  gain  ^  and  number  of  legitimate  nodes 

n  =  1,2,5,10,20. 
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Fig.  4.1a  depicts  the  form  of  the  density  for  n  =  2  legitimate  nodes  competing  with 
one  attacker  for  values  of  the  gain  factor  r?  =  1, 1.5,  2,  2.5.  We  observe  that  as  77  ^  3  (the 
maximum  possible  gain  for  n  =  2)  the  density  tends  to  a  Dirac  delta  function  at  x  =  0 
which  corresponds  to  DoS  attack,  representing  the  extreme  case  of  misbehavior  where  the 
attacker  consumes  all  the  available  resources. 

In  Fig.  4.1b  we  fix  the  gain  factor  to  rj  =  1.5  (the  attacker  enjoys  50%  more  access 
to  the  channel  than  a  legitimate  node)  and  plot  /i(x)  for  number  of  legitimate  nodes 
n  =  1,2,5,00.  We  observe  that  as  the  number  n  of  legitimate  nodes  increases,  the  at¬ 
tacker  converges  towards  a  less  aggressive  strategy.  The  interesting  point  is  that  the  least 
favorable  pdf  converges  very  quickly  to  a  limiting  function  as  the  number  of  legitimate 
nodes  increases.  This  example  confirms  that  it  is  possible  to  detect  an  attacker  even  if 
there  is  a  large  number  of  legitimate  nodes  present,  since  the  attacker  in  order  to  maintain 
his  relative  gain  must  use  a  pdf  which  differs  from  the  nominal  uniform. 

Instead  of  fixing  the  attacker’s  gain  relatively  to  the  gain  of  a  legitimate  node, 
we  now  examine  what  happens  when  the  attacker  follows  a  more  aggressive  policy  and 
demands  channel  access  for  a  constant  percentage  of  time,  regardless  of  the  number  of 
existing  nodes.  To  achieve  this  goal,  the  gain  factor  rj  must  be  selected  so  that  7777^ 
is  a  constant.  Fig. 4.1c  depicts  this  specific  scenario  for  In  other  words,  the 

attacker  has  access  to  the  channel  50%  of  the  time,  regardless  of  the  number  of  competing 
nodes.  We  can  see  that  when  n  =  1  the  attacker  behaves  legitimately,  but  as  the  number 
n  of  legitimate  nodes  increases,  the  attacker  quickly  resorts  to  the  strategies  that  are  of 
DoS  type  in  order  to  maintain  this  fixed  access  percentage.  This  is  evident  from  the  fact 
that  the  least  favorable  pdf  tends  to  accumulate  all  its  probability  mass  at  small  back-off 
values. 
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Figure  4.2:  Average  Detection  Delay  K[N]  as  a  function  of  (a)  gain  factor  rj;  (b)  absolute 
gain  for  a  =  /3  =  0.01 

In  order  to  obtain  some  intuition  from  our  results,  we  consider  the  case  of  one 
attacker  competing  with  n  >  1  legitimate  nodes.  In  Fig.  4.2a  we  depict  the  average 
required  number  of  observation  samples  as  a  function  of  the  parameter  r/.  We  fix  the 
probability  of  detection  and  the  probability  of  false  alarm  to  0.99  and  0.01  respectively 
and  measure  the  Average  Detection  Delay  K[N]  for  1  <  ry  <  n  +  1.  The  graph  shows  that 
low  values  of  ry  prolong  the  detection  procedure,  since  in  that  case  the  attacker  does  not 
deviate  significantly  from  the  protocol.  On  the  other  hand,  a  large  ry  signifies  a  class  of 
increasingly  aggressive  attacks  for  which  the  detection  is  achieved  with  very  small  delay. 
Due  to  the  fact  that  the  value  of  ry  is  limited  with  the  number  of  legitimate  nodes,  we 
cannot  compare  the  performance  of  the  system  for  different  values  of  n  unless  the  absolute 
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gain  is  used.  In  Fig.  4.2b  we  depict  E[A^]  as  a  function  of  the  absolute  gain.  It  can 
be  seen  that  detection  becomes  more  efficient  as  the  number  of  participating  legitimate 
nodes  increases.  For  example,  for  an  absolute  gain  of  0.6,  the  IDS  will  require  10  times 
less  samples  to  detect  misbehavior  for  n  =  5,  than  for  the  case  of  n  =  1. 

Finally,  we  implement  the  worst-case  attack  pdf  characterized  by  Eq.  4.21  in  the 
network  simulator  OPNET.  We  take  advantage  of  the  experimental  setup  and  perform 
evaluation  as  a  tradeoff  between  the  average  time  to  detection,  T^,  and  the  average  time 
to  false  alarm, Tja,  a  quantity  that  is  more  meaningful  and  intuitive  in  practice.  It  is  im¬ 
portant  to  emphasize  that  the  realistic  false  alarm  rate  used  by  actual  intrusion  detection 
systems  is  much  lower  than  a  =  0.01  used  in  the  theoretical  analysis.  We  claim  that  this 
false  alarm  rate  leads  to  an  accurate  estimate  of  the  false  alarm  rates  that  need  to  be 
satisfied  in  actual  anomaly  detection  systems  [22,  23].  Due  to  that  fact  we  set  /3  =  0.01 
and  vary  a  from  10“^  up  to  10“^^  (where  a  =  10“^®  corresponds  to  one  false  alarm  dur¬ 
ing  the  whole  simulation  period).  The  back-off  distribution  of  an  optimal  attacker  was 
implemented  in  the  network  simulator  OPNET  and  tests  were  performed  for  various  lev¬ 
els  of  false  alarms.  The  backlogged  environment  in  OPNET  was  created  by  employing  a 
relatively  high  packet  arrival  rate  per  unit  of  time:  the  results  were  collected  for  the  expo- 
nential(O.Ol)  packet  arrival  rate  and  the  packet  size  was  2048  bytes.  The  results  for  both 
legitimate  and  malicious  behavior  were  collected  over  a  fixed  period  of  1.5min.  We  note 
that  the  simulations  were  performed  with  nodes  that  followed  the  standard  IEEE  802.11 
access  protocol  (with  exponential  back-off).  The  system’s  performance  was  evaluated  for 
three  values  of  absolute  gain:  0.5,  0.6  and  0.8  and  the  results  are  presented  in  Eig.  4.3. 
By  observing  the  tradeoff  curves  in  Eig.  4.3  we  conclude  that  the  system’s  detection  delay 
decreases  significantly  as  the  attacker’s  absolute  gain  increases.  To  illustrate  this  claim. 
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Figure  4.3:  Tradeoff  curve  for  =  0.5,  0.6,  0.8  and  n  =  2. 

we  observe  the  best  case  system  performance,  i.  e.  one  false  alarm  over  the  whole  sim¬ 
ulation  period  of  1.5min,  and  note  that  the  detection  delay  for  the  absolute  gain  of  80% 
is  approximately  3.5  times  shorter  than  in  the  case  when  the  absolute  gain  is  50%.  This 
again  confirms  the  efficiency  of  our  proposed  detection  system  against  most  aggressive 
worst-case  optimal  attacks.  In  order  to  illustrate  the  influence  of  the  number  of  legitimate 


Figure  4.4:  Tradeoff  curve  for  =  0.5  and  n  =  2, 3. 

competing  nodes  on  the  detection  time,  we  compare  the  performance  of  the  detection 
system  for  the  case  when  n  =  2  and  n  =  5.  In  order  to  obtain  fair  comparison,  we  use 
the  same  value  of  absolute  gain,  =  0.5.  The  results  are  presented  in  Fig.  4.4.  As 
expected,  all  nodes  experience  higher  number  of  collisions  in  the  congested  environment. 
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resulting  in  delayed  detection.  It  is  important  to  note  that  the  traffic  generation  rate  used 
in  Fig.  4.4  is  lower  than  the  one  used  in  Fig.  4.3.  By  observing  the  curves  for  =  0.5  in 
both  figures,  we  note  that  the  detection  system  experiences  larger  delay  when  lower  traffic 
rates  are  used,  which  is  logical  since  all  nodes  access  channel  less  frequently,  generating 
smaller  number  of  back-off  samples  within  the  same  time  interval. 

4.5.1  Impact  of  multiple  competing  nodes  on  the  performance  of  the  optimal  at¬ 
tacker 


Td  for  =0.6,  one  malicious  and  varying  number  of  legitimate  nodes  n 


Figure  4.5:  Tradeoff  curve  for  =  0.6  and  n  =  2,  3, 4, 5. 


4.5.2  Performance  comparison  of  MAC  layer  misbehavior  detection  schemes 

In  Sect.  4.1  we  argued  that  (i)  the  performance  of  a  sub-optimal  detection  scheme 
will  be  degraded  in  the  presence  of  an  optimal  attack  and  (ii)  an  attacker  that  deploys  a 
sub-optimal  strategy  (i.e.  strategy  that  is  constructed  against  a  specific  detection  system) 
will  be  detected  with  substantially  smaller  detection  delay  than  the  optimal  one  when  a 
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Td  for  =0.5,  one  malicious  and  varying  number  of  legitimate  nodes  n 


Figure  4.6:  Tradeoff  curve  for  =  0.5  and  n  =  2, 3, 4. 

quickest  detection  scheme  (i.e.  optimal  detection  scheme)  is  deployed.  We  now  confirm 
the  above  statement  by  experimental  evaluation.  In  particular,  as  an  example  of  a  sub- 
optimal  detection  scheme  we  analyze  the  performance  of  DOMINO  [2]  and  compare  its 
performance  against  the  optimal,  SPRT-based  detection  scheme,  in  the  presence  of  optimal 
and  sub-optimal  attacks. 

The  back-off  distribution  of  the  optimal  attacker  was  implemented  in  the  network 
simulator  OPNET  and  tests  were  performed  for  various  levels  of  false  alarms.  The  results 
presented  in  this  section  correspond  to  the  scenario  consisting  of  two  legitimate  and  one 
selfish  node  competing  for  channel  access.  It  is  important  to  mention  that  the  result¬ 
ing  performance  comparison  of  DOMINO  and  SPRT  does  not  change  for  any  number  of 
competing  nodes.  SPRT  always  exhibits  the  best  performance. 

In  order  to  demonstrate  the  performance  of  all  detection  schemes,  we  choose  to 
present  the  results  for  the  scenario  where  the  attacker  attempts  to  access  channel  for 
60%  of  the  time  (as  opposed  to  33%  if  it  was  behaving  legitimately).  The  backlogged 
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environment  in  OPNET  was  created  by  employing  a  relatively  high  packet  arrival  rate  per 
unit  of  time:  the  results  were  collected  for  the  exponential(O.Ol)  packet  arrival  rate  and 
the  packet  size  was  2048  bytes.  The  results  for  both  legitimate  and  malicious  behavior 
were  collected  over  a  fixed  period  of  100s. 

The  evaluation  was  performed  as  a  tradeoff  between  the  average  time  to  detection 
and  the  average  time  to  false  alarm.  It  is  important  to  mention  that  the  theoretical 
performance  evaluation  of  both  DOMINO  and  SPRT  was  measured  in  number  of  samples. 
Here,  however,  we  take  advantage  of  the  experimental  setup  and  measure  time  in  number 
of  seconds,  a  quantity  that  is  more  meaningful  and  intuitive  in  practice. 
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Tradeotl  curves  lor  DOMINO 


Figure  4.7:  Tradeoff  curves  for  DOMINO  algorithm.  One  curve  shows  its  performance 
when  detecting  an  adversary  that  chooses  /f  and  the  other  is  the  performance  when 
detecting  an  adversary  that  chooses  fi 

The  first  step  in  our  experimental  evaluation  is  to  show  that  the  performance  of 
a  sub-optimal  detection  scheme  (DOMINO)  is  degraded  in  the  presence  of  an  optimal 
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attack  fl-  Fig.  4.7  provides  experimental  evidence  confirming  our  predictions.  Namely, 
DOMINO  detection  scheme  was  constructed  for  detection  of  a  specific  class  of  attacks 
described  in  [2,  24].  We  denote  that  class  of  attacks  with  /f .  As  it  can  be  seen  from 
Fig.  4.7,  the  detection  delay  of  DOMINO  algorithm  increases  up  to  40%  when  an  optimal 
attack  strategy  ff  is  deployed.  More  specifically,  the  results  presented  in  Fig.  4.7  illustrate 
the  fact  that  an  adversary  using  ff  against  DOMINO  can  misbehave  for  longer  periods  of 
time  without  being  detected  than  by  using  p^.  We  now  evaluate  the  performance  of  an 


Tradeoff  curves  for  SPRT 


Figure  4.8:  Tradeoff  curves  for  SPRT  algorithm.  One  curve  shows  its  performance  when 
detecting  an  adversary  that  chooses  and  the  other  is  the  performance  when  detecting 
an  adversary  that  chooses  ff. 

attacker  that  deploys  a  sub-optimal  strategy  (which  was  constructed  against  DOMINO 
detection  scheme)  against  the  quickest  detection  (SPRT)  scheme  and  compare  it  with  the 
performance  of  an  attacker  that  deploys  optimal  strategy  f^.  The  results  are  presented 
in  Fig.  4.8.  As  expected,  a  sub-optimal  attack  /f  is  detected  with  a  substantially  smaller 
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Tradeoff  curves  for  SPRT  and  DOMINO 
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Figure  4.9:  Tradeoff  curves  for  SPRT  and  DOMINO  algorithms. 

detection  delay  than  the  optimal  one  when  the  SPRT-based  detection  scheme  (i.e.  optimal 
detection  scheme)  is  deployed.  More  specifically,  we  observe  that  the  detection  delay  for  a 
sub-optimal  strategy  is  approximately  50%  smaller  than  the  one  for  the  optimal  strategy. 

We  now  test  how  the  optimal  (SPRT)  and  sub-optimal  (DOMINO)  detection  al¬ 
gorithms  compare  to  each  other.  Fig.  4.9  shows  that  SPRT  significantly  outperforms 
DOMINO  in  the  presence  of  an  optimal  attacker.  We  have  therefore  confirmed  by  experi¬ 
mental  evaluation  that  SPRT  is  the  best  test  when  the  adversary  selects  f^.  Nevertheless, 
ff  can  be  argued  to  be  a  good  adversarial  strategy  against  any  detector  in  the  asymptotic 
observation  case,  since  is  in  fact  minimizing  the  Kullback-Leibler  divergence  from  the 
specified  pdf  /q.  The  result  is  that  the  probability  of  detection  of  any  algorithm  (when 
the  false  alarm  rate  goes  to  zero)  is  upper  bounded  by  where  D(p\\q)  denotes 

the  Kullback-Leibler  divergence  between  two  pdf’s  [25].  On  the  other  hand,  it  was  not 
possible  to  find  any  theoretical  motivation  for  the  definition  of  and,  hence,  we  claim 
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it  is  sub-optimal  strategy  for  the  given  settings. 
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Chapter  5 

Collaborative  attacks 

The  problem  treatment  in  Chapter  4  assumed  the  existence  of  a  single  intelligent 
adversary  and  the  scenario  where  two  or  more  protocol  participants  collaborate  in  order 
to  degrade  the  performance  of  legitimate  participants  was  not  considered.  In  this  chapter 
we  extend  the  proposed  framework  to  the  case  of  n  >  2  collaborating  adversaries  and 
evaluate  the  performance  of  quickest  detection  scheme  under  this  setting.  We  show  that, 
although  extremely  efficient  in  terms  of  increased  detection  delay  and  performance  losses 
of  the  system,  the  collaborative  strategies  are  difficult  to  implement  due  to  synchronization 
issues  that  arise  from  random  nature  of  the  protocol  and  the  unpredictability  of  wireless 
medium. 

As  we  have  already  pointed  out,  we  consider  detection  strategies  in  the  presence  of 
intelligent  misbehaving  nodes  that  are  aware  of  the  existence  of  monitoring  neighboring 
nodes  and  adapt  their  access  policies  in  order  to  avoid  detection.  Due  to  the  fact  that  we 
now  deal  with  multiple  adversaries  that  collaborate  with  the  common  goal  of  disrupting 
network  functionality,  additional  assumptions  need  to  be  adopted.  First  of  all,  we  assume 
that  colluding  nodes  collaborate  by  exchanging  information  and  by  taking  actions  that 
amplify  each  other’s  effects  on  network  functionality.  More  specifically,  we  assume  that 
each  individual  action  can  produce  a  desired  effect  only  if  properly  coordinated  with  other 
actions.  The  rest  of  the  assumptions  about  the  adversary  model  are  identical  as  in  the 
case  of  a  single  adversary.  We  assume  that  the  adversaries  are  knowledgeable,  i.e.  they 
know  everything  a  monitoring  node  knows  about  the  detection  scheme  and  intelligent, 
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i.e.  they  can  make  inferences  about  the  situation  in  the  same  way  the  monitoring  nodes 


can.  We  assume  that  the  goal  of  the  misbehaving  hosts  is  to  choose  an  optimal  attack 
strategy  that  minimizes  the  probability  of  detection  Pd  (or  equivalently  a  strategy  that 
maximizes  the  probability  of  avoiding  detection  Pm),  while  maximizing  their  gain  (access 
to  the  channel). 

It  is  now  clear  that  two  additional  difficulties  arise  in  this  new  setting,  one  at  the  side 
of  the  detector  and  one  at  the  side  of  collaborating  adversaries.  As  it  has  been  pointed  out, 
the  adversaries  need  to  be  synchronized  and  consequently  need  to  be  able  to  communicate 
(exchange  information)  at  all  times  in  order  to  launch  an  efficient  attack.  On  the  other 
hand,  the  detector  needs  to  be  able  to  efficiently  correlate  individual  actions  across  users 
in  order  to  identify  a  single  attack.  Hence,  a  robust  detector  needs  to  be  able  to  both 
localize  and  detect  an  ongoing  collaborative  attack  with  minimum  delay. 

5.1  Definition  of  the  Uncertainty  Class 

Following  the  approach  proposed  in  Sect.  4.3  we  again  adopt  a  min-max  robust 
approach  for  defining  the  uncertainty  class.  In  this  setting  we  assume  the  detection  system 
adopts  the  optimal  detection  rule  collaborating  adversaries 

adopt  the  optimal  access  policy  fi2  ■  The  goal  of  the  adversaries  is  to  create  a  misbehavior 
strategy  that  maximizes  the  number  of  required  samples  for  misbehavior  detection  delaying 
the  detection  as  much  as  possible.  On  the  other  hand,  the  adversaries  aim  to  disrupt 
the  functionality  of  the  network  and  minimize  the  probability  of  access  to  the  legitimate 
protocol  participants. 

In  order  to  quantify  the  performance  of  the  detection  scheme  and  the  attacker,  we 
introduce  the  parameter  rj,  which  defines  the  class  of  attacks  of  interest  and  specifies  the 
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incurred  relative  gain  of  the  attacker  in  terms  of  the  probability  of  channel  access.  In  that 


sense,  i]  can  be  interpreted  as  a  sensitivity  parameter  of  the  detection  scheme  with  respect 
to  attacks,  which  is  determined  according  to  the  IDS  requirements. 

In  this  section  we  follow  the  same  set  of  assumptions  about  the  IEEE  802.11  MAC 
protocol  as  in  Chapter  4.  We  assume  that  one  of  misbehaving  collaborating  nodes  and  a 
legitimate  node  intend  to  access  the  channel  at  the  same  time  instance.  In  order  to  have 
a  fair  basis  for  comparison,  assume  that  they  start  their  back-off  timers  at  the  same  time. 
We  let  the  random  variable  Xq  stand  for  the  back-off  value  of  a  legitimate  user,  hence  it 
is  uniformly  distributed  in  [0,  W].  Also,  let  the  random  variables  Xi  and  X2  stand  for  the 
misbehaving  nodes  (attackers),  with  unknown  pdf  fi2{xi,X2)  with  support  [0,IE].  The 
relative  advantage  of  the  attacker  is  quantified  as  the  probability  of  accessing  the  channel, 
or  equivalently  the  probability  that  its  back-off  is  smaller  than  that  of  the  legitimate  node, 
Pr(Ao  <  min{Xi,X2)). 

Suppose  that  all  nodes  were  legitimate.  If  p  is  the  access  probability  of  each  node, 
then  the  probability  of  successful  channel  access  achieves  fairness  for  p*  =  1/3  for  each 
node.  Now,  if  two  nodes  collaborate,  they  receive  gain  from  their  attack  if  Pr(Ao  < 
min{Xi,  X2))  <  In  order  to  quantify  this,  let  tj  G  [0, 1]  and  define  the  class  of  attacks 

Xr,  =  ^fi2{xi,X2)  :  j  j  <  ||  .  (5.1) 

where  we  used  the  fact  that  fo{x)  =  The  class  defined  by  expression  5.1  includes 
attacks  for  which  the  incurred  relative  loss  of  the  legitimate  participants  exceeds  a  certain 
amount  (or  equivalently,  incurred  relative  gain  exceeds  a  certain  amount).  The  class  Xrj  is 
the  uncertainty  class  of  the  robust  approach  and  the  parameter  77  is  a  tunable  parameter. 
By  defining  the  class  Xrj,  we  imply  that  the  detection  scheme  should  focus  on  attacks  with 
larger  impact  to  system  performance  and  not  on  small-scale  or  short-term  attacks. 
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5.2  Derivation  of  the  worst-case  attack  for  n=2  adversaries 


By  following  the  approach  from  Chap.  4,  we  assume  that  hypothesis  Hq  concerns 
legitimate  operation  and  thus  the  corresponding  pdf  fo{x),  is  the  uniform  one.  Hypothesis 
Hi  corresponds  to  misbehavior  with  unknown  pdf  fi2{xi,X2)  G  Since  the  objective 
of  a  detection  rule  is  to  minimize  the  number  of  observation  samples  N12  needed  for 
deriving  a  decision  regarding  the  existence  or  not  of  misbehavior,  we  adopt  the  SPRT  as 
our  optimal  detection  rule  D*  for  detection  of  the  worst-case  attack  f^2-  The  performance 
of  the  optimal  detection  scheme  is  again  quantified  by  the  average  number  of  samples 
Ei2[A^]  needed  until  a  decision  is  reached,  where  the  average  is  taken  with  respect  to  the 
distribution  fi2{xi,X2)  employed  by  the  attacker.  This  expectation  is  a  function  of  the 
adopted  detection  rule  P12  and  the  pdf  fi2{xi,X2) 


Ei2[A^]  =  (t){'Di2,fl2{xi,X2)). 


(5.2) 


From  Eq.(4.9)  the  average  number  of  samples  is 


Ei2[iV]  = 


E[5jv]  ^ ^ 
Ei2  [in 


fo{Xi)MX2) 


(5.3) 


where  fo{xi)  =  (denotes  the  uniform  distribution  of  normal  operation),  C  =  qPd  + 
6(1  —  Pd),  and  the  expectation  in  the  denominator  is  with  respect  to  the  unknown  attack 
distribution  /12.  In  the  context  of  the  minmax  robust  detection  framework,  the  goal  is  to 
optimize  the  performance  of  the  detection  scheme  in  the  presence  of  the  worst-case  attack, 
that  is,  solve  the  following  min-max  problem 


inf  sup  (/>(T*i2, /i2)-  (5.4) 

Since  C  from  Eq.  (5.3)  is  a  constant,  the  solution  of  the  above  min-max  problem  reduces 
to: 
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w 


w 

min  /  /  fi2(xiX2)lnfi2(xiX2)dxidx2 

/i2  JO  Jo 


subject  to  the  constraints, 


rW  rW 


fl2{xiX2)dxidX2  =  1 


(5.5) 


(5.6) 


and 

r  r  <  I  (5.7) 

Jo  Jo  w  6 

The  first  constraint  enforces  the  fact  that  /12  is  a  pdf  and  the  second  one  holds  due  to 
the  fact  that  /12  G  By  applying  the  Karush-Kuhn- Tucker  (KKT)  conditions,  we  find 
that  the  function  ff2{xi,X2)  has  the  following  form: 


fUxuX2)  = 


(5.8) 


where  A  and  ^  are  the  Lagrange  multipliers  that  correspond  to  the  constraints  and  are 
functions  of  W  and  rj  only.  These  can  be  obtained  by  the  system  of  equations: 


21T2(e-^  +  ^  -  1) 

21^2 

— ^(2e  ^  +  fie  ^-2  +  /i) 

For  the  purpose  of  illustrating  the  actual  effects  of  collaborating  adversaries  on  the  perfor¬ 
mance  of  the  system  we  now  observe  two  collaborating  adversaries  under  the  assumption 
that  they  act  as  a  single  adversary.  Fig.  5.1  depicts  the  form  of  the  density  /12  of  two 
collaborating  attackers  for  various  values  of  the  parameter  r/.  Again,  as  in  Chap.  4,  we 
observe  that  as  77  ^  1,  the  density  tends  to  a  Dirac  delta  function  at  x  =  0,  which  cor¬ 
responds  to  DoS  attack.  However,  unlike  in  the  case  of  a  single  attacker,  the  detection 


=  e 


l+A 


!?gl+A 

3 


(5.9) 
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system  does  not  observe  the  pdf  from  the  Fig.  5.1  until  the  stage  of  localization.  The 


IDS,  or  more  specifically  the  observers,  see  each  adversary  as  a  separate  entity,  therefore 
observing  significantly  milder  strategy  than  the  one  that  is  actually  being  used  against 
the  system,  as  we  will  see  in  Sect.  5.4. 


Figure  5.1:  The  optimal  pdf  of  colluding  adversaries. 

Interestingly,  Eq.  (5.8)  shows  that  the  worst-case  attack  distribution  ff2  again  takes 
exponential  form,  just  like  in  the  case  of  a  single  adversary.  We  now  need  to  prove  that 
the  pair  fi2  ^  saddle  point  of  the  function  (p,  where  the  saddle  point  was  defined  by 
Def.  4.19.  The  right  hand  side  of  the  inequality  suggests  that  15^2  must  be  the  optimum 
detection  structure  for  X2)-  Indeed,  this  is  how  2?*2  i®  defined,  since  it  is  selected 

as  the  SPRT  test  that  optimally  discriminates  between  fp2  and  the  uniform  pdf  /q.  This 
proves  the  right  hand  side  of  the  saddle  point  inequality.  Following  the  identical  approach 
as  in  the  case  of  Theorem4.4.2,  we  prove  that  i?i(T>^2) /12)  —  '^(^12) /12)  for  all  /12  £ 
therefore  proving  the  left  inequality  in  (4.19).  We  have  now  shown  that  the  pair  {T>'^2’  /i2)j 
where  25^2  i®  SPRT  and  ^2)  is  the  exponential  density  constitute  a  saddle  point  of 

(j).  This  means  that  the  min-max  equality  holds  and  we  can  interchange  the  order  of  min 
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and  sup  in  the  optimization  problem  above  [21].  Then,  the  problem 


max  min  4’{di2,  fi2)  (5.10) 

/l2SJ^rj  rfl2SX’l2 

has  the  same  solution  with  (4.18). 

As  was  mentioned  above,  the  min- max  robust  detection  approach  captures  the  case 
of  an  intelligent  adaptive  attacker.  The  SPRT  algorithm  is  part  of  the  intrusion  detec¬ 
tion  system  module  that  resides  at  an  observer  node.  In  other  words,  the  observer  (and 
hence  the  system)  attempts  to  minimize  the  number  of  required  samples  so  as  to  improve 
its  payoff  in  terms  of  improved  chances  for  channel  access.  On  the  other  hand,  an  in¬ 
telligent  attacker  that  knows  the  detection  algorithm  attempts  to  delay  this  decision  as 
much  as  possible  so  as  to  increase  his  own  benefit  in  terms  of  chances  for  channel  access. 
The  attacker  aims  at  a  strategy  that  causes  performance  degradation  for  other  nodes  by 
remaining  undetected. 

Naturally,  if  the  attacker  is  intelligent  and  is  aware  of  the  optimal  detection  strategy 
of  the  given  system,  he  can  choose  to  misbehave  until  the  estimated  detection  point  and 
after  that  he  can  either  obey  the  protocol  rules  for  certain  time  or  choose  to  relocate.  The 
quickest  detection  framework  employed  in  our  analysis  forces  the  adversary  to  follow  the 
protocol  rules  or  relocate  as  often  as  possible,  thereby  increasing  the  cost  of  launching  an 
attack. 

5.3  Derivation  of  the  worst-case  attack  for  n  >  2  adversaries 

In  order  to  proceed  towards  derivation  of  the  worst-case  attack  for  the  case  of  n  >  2 
adversaries  we  first  redefine  the  uncertainty  class  described  by  Eq.  5.1.  In  the  setup  with 
more  than  2  collaborating  adversaries,  the  relative  advantage  of  the  adversaries  is  again 
quantified  as  the  probability  of  accessing  the  channel,  or  equivalently  the  probability  that 
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their  back-off  is  smaller  than  that  of  the  legitimate  node. 

Suppose  that  we  observe  the  behavior  of  n  -|-  1  legitimate  nodes,  where  n  >  1.  If 
p  is  the  access  probability  of  each  node,  then  the  probability  of  successful  channel  access 
achieves  fairness  for  p*  =  for  each  node.  Now,  if  n  nodes  collaborate,  they  receive 
gain  from  their  attack  if  Pr(Xo  <  min{Xi, . . . ,  Xn))  <  In  order  to  quantify  this,  let 
rj  £  [0, 1]  and  define  the  class  of  attacks  for  ■  ■  ■ ,  Xn) 

=  {/'■■■  f  x„)  <!«...  <  ^}  .  (5.11) 

Assuming  that  the  SPRT  is  used,  we  again  seek  an  attack  distribution  f*  such  that 
4>{d*,  f*)  >  (t){d* ,  f)  for  all  other  attacks  f  £ 

From  Eq.(4.9)  the  average  number  of  samples  is 


E[A^]  = 


E[5jv]  ^ _ 

El..., 


C 


In 


(5.12) 


/o(Xi).../o(X„)_ 

where  fo{xi)  =  1/IF  (denotes  the  uniform  distribution  of  normal  operation),  C  =  aPo  + 
6(1  —  Pd),  and  the  expectation  in  the  denominator  is  with  respect  to  the  unknown  attack 
distribution  /.  Since  C*  is  a  constant,  the  problem  of  finding  the  attack  that  maximizes 
the  required  number  of  observations  reduces  to  the  problem: 


j-W  t-W 

min/  ...  /  fl,„n{Xl■■.Xn)\T^fl,„n{Xl...Xn)dXl...dXn  (5.13) 

/l...n  Jo  Jo 

subject  to  the  constraints, 


h...n{xi  .  .  .  Xn)dxi  .  .  .  dXn  =  1 


(5.14) 


rW 


min(xi  . . .  Xn) 

w 


fl...n{xi  .  ..Xn)dxi  .  ..dXn  < 


n+1 


(5.15) 
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The  first  constraint  enforces  the  fact  that  /  is  a  pdf  and  the  second  one  holds  due  to  the 
fact  that  f  £  J-fj.  By  applying  the  Karush-Kuhn- Tucker  (KKT)  conditions,  we  find  that 
the  function  /f  ,  . . .  ,Xn)  has  the  following  form: 

...,xn)  =  (5.16) 

where  A  and  ^  are  the  Lagrange  multipliers  that  correspond  to  the  constraints  and  are 
functions  of  W  and  i]  only.  These  can  be  obtained  by  numerically  solving  the  above 
constraints. 

Again,  Eq.  (5.16)  shows  that  the  worst-case  attack  distribution  ^  again  takes  ex¬ 
ponential  form,  just  like  in  the  case  of  a  single  adversary.  Following  the  identical  approach 
as  in  the  case  of  Theorem 4.4.2,  we  prove  that  (p{d* ,  f*)  >  4>{d* ,  f)  for  all  /  G  .7-)^,  therefore 
proving  the  left  inequality  in  (4.19).  We  have  now  shown  that  the  pair  (d* ,  /*),  where  d* 
is  SPRT  and  f*{xi, . . . ,  Xn)  is  the  exponential  density  constitute  a  saddle  point  of  (j).  This 
means  that  the  so-called  min-max  equality  holds  and  we  can  interchange  the  order  of  min 
and  sup  in  the  optimization  problem  above  [21].  Then,  the  problem 

maxmin(A(d,  f)  (5.17) 

ddV  ^  ’ 

has  the  same  solution  with  (4.18). 

5.4  Experimental  Results 

We  now  proceed  to  experimental  evaluation  of  the  analyzed  scenario.  In  order  to 
correctly  capture  the  behavior  of  colluding  attackers  and  evaluate  the  advantage  over  the 
non-colluding  strategies,  we  compare  the  performance  of  a  single  optimal  attacker  from  [26] 
with  the  performance  of  colluding  attackers  who  generate  the  optimal  back-off  sequence 
according  to  the  pdf  fi2-  The  detection  schemes  employed  in  [2,  26]  use  different  metrics 
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to  evaluate  the  performance  of  attackers  and  the  detection  algorithms.  We  believe  that 
the  performance  of  the  detection  algorithms  is  better  captured  by  employing  the  expected 
time  before  detection  E[T£)]  and  the  average  time  between  false  alarms  K[Tfa]  instead  of 
detection  delay  E[A^],  used  in  [26],  or  throughput,  used  in  [2],  as  the  evaluation  parameters. 

It  is  important  to  note  that  the  chosen  values  of  the  parameter  a  in  all  the  experi¬ 
ments  are  small  and  vary  from  10“^  to  10“^^.  We  claim  that  this  represents  an  accurate 
estimate  of  the  false  alarm  rates  that  need  to  be  satisfied  in  actual  anomaly  detection 
systems  [22,  23],  a  fact  that  was  not  taken  into  account  in  the  evaluation  of  previously 
proposed  systems. 

The  back-off  distribution  of  both  optimal  single  attacker  from  [26]  and  optimal 
colluding  attackers  from  Eq.  (5.8)  was  implemented  in  the  network  simulator  Opnet  and 
tests  were  performed  for  various  levels  of  false  alarms  and  various  values  of  the  parameter 
r/.  The  sequence  of  optimal  back-off  values  was  then  exported  to  Matlab  and  the  quickest 
detection  tests  were  performed  on  the  given  sets  of  data. 

We  first  analyze  the  effectiveness  of  the  quickest  detection  scheme  against  colluding 
attackers  with  different  levels  of  aggressiveness  (different  values  of  ry).  We  chose  3  different 
values  of  rj:  0.3,  0.6  and  0.9,  where  r]=l  represents  the  scenario  where  all  nodes  follow 
the  rules  of  the  protocol.  The  results  of  the  above  strategies  are  presented  in  Fig.  5.2.  As 
expected,  the  detection  delay  increases  with  rj  and  is  almost  identical  for  higher  values 
of  ry.  This  re-confirms  the  effectiveness  of  the  optimal  SPRT-based  detection  scheme 
for  detection  of  nodes  that  significantly  deviate  from  the  protocol  rules.  However,  it  is 
important  to  quantify  the  advantage  of  the  colluding  scheme  over  a  single  attacker  in  order 
to  justify  employment  of  an  additional  attacker.  It  is  to  be  expected  that  the  colluding 
nodes  will  experience  larger  detection  delays,  depending  on  the  ry  they  choose  for  their 
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Tradeoff  curves  for  2  colluding  nodes  andri  =  0.3,  0.6  and  0.9 


Figure  5.2:  Tradeoff  curves  for  2  colluding  nodes  and  r]  =  0.3,  0.6  and  0.9. 


access  strategy.  Fig.  5.3  compares  the  performance  of  colluding  and  single  attackers  for 
r/=0.6.  It  is  important  to  mention  that  the  crucial  advantage  of  colluding  nodes  is  that 


Tradeoff  curves  fort]  =  0.6 


Figure  5.3:  Tradeoff  curves  for  r]  =  0.6:  detection  times  for  colluding  nodes  are  up  to  2 
times  longer  than  for  a  single  node  with  identical  strategy. 
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the  detection  system  is  not  aware  of  collaboration  among  the  attackers  and  performs 


detection  on  a  single  malicious  node.  As  expected,  the  detection  delay  for  colluding  nodes 
is  approximately  2  times  higher  than  for  a  single  attacker.  In  order  to  illustrate  the  effect  of 
r]  on  the  detection  delay,  we  now  perform  the  same  test  with  7^=0. 9.  As  it  can  be  seen  from 
Fig.  5.4,  the  detection  delay  for  colluding  nodes  increases  even  further  as  the  aggressiveness 
of  the  attackers  decreases.  Finally,  we  fix  77=0.9  for  the  case  of  a  single  attacker  and 


Tradeoff  curves  forri  =  0.9 


Figure  5.4:  Tradeoff  curves  for  77  =  0.9:  detection  times  for  colluding  nodes  are  up  to  3 
times  longer  than  for  a  single  node  with  identical  strategy. 

attempt  to  find  the  corresponding  value  of  77  for  the  case  of  colluding  nodes  that  will  have 
the  same  detection  delay.  As  it  can  be  seen  from  Fig.  5.5,  the  corresponding  value  of  77  is 
approximately  0.4,  which  represents  a  significant  gain  (recall  that  77=0  represents  the  DoS 
attack)  and  enables  colluding  attackers  to  significantly  deviate  from  the  protocol  rules  with 
the  detection  delay  equivalent  to  the  one  when  there  is  almost  no  misbehavior.  Finally, 
it  is  important  to  address  the  issue  of  overhead  of  the  proposed  detection  algorithm.  The 
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Figure  5.5:  Tradeoff  curves  for  r]  =  0.9  (single  attacker)  and  r]  =  0.4  (colluding  attackers). 

SPRT  is  highly  efficient  since  no  observation  vectors  need  to  be  stored.  The  only  storage 
complexity  is  the  one  needed  for  the  pdfs  /i  and  /o,  the  thresholds  “a”  and  “b”  and  the 
current  statistic  Sn-  In  addition  to  that,  the  SPRT  algorithm  is  also  time-efficient,  since 
in  order  to  compute  the  log-likelihood  we  only  need  to  compute  the  ratio  of  two  functions 
(/o  and  /i,  which  are  very  simple  to  evaluate)  and  add  this  value  to  the  current  statistic 
Sn-  Therefore,  the  overhead  of  the  proposed  algorithm  is  low  and  can  be  obtained  by 
adding  the  two  previously  mentioned  values. 


61 


Chapter  6 


Impact  of  interference  on  the  performance  of  optimal  detection  schemes 
6.1  Overview 

In  Chap.  3,  Sect.  3.3  we  briefly  introduced  the  importance  of  considering  impact  of 
interference  on  the  performance  of  detection  schemes.  Before  proceeding  to  analytical 
evaluation,  we  analyze  the  behavior  of  optimal  detection  scheme  presented  in  Chap.  4  in 
the  presence  of  interference.  We  assume  that  (i)  the  main  source  of  interference  are  con¬ 
current  transmissions  of  neighboring  nodes,  (ii)  the  effects  of  interference  are  observed  in 
terms  of  reduced  Signal-to- Interference  and  Noise  Ratio  (SINK)  and  (iii)  reduction  in  SINK 
results  in  missed  observations  (RTS  or  CTS  packets)  at  the  observers  side.  Depending 


Figure  6.1:  Average  detection  delay  for  different  values  of  SINR  and  n=l,  3,  10 

on  interference  conditions,  a  percentage  of  the  back-off  samples  collected  by  the  observer 
nodes  are  corrupted  (not  measured  correctly).  In  that  case,  the  most  convenient  mea¬ 
sure  of  performance  is  the  Packet  Error  Rate  (PER)  of  RTS/CTS  messages.  In  this  case, 
PER  indicates  the  amount  of  additional  measurements  required  for  reaching  a  decision. 


62 


depending  on  whether  the  observer  node  resides  within  range  of  the  attacker  (RTS  ob¬ 
servations)  or  the  receiver  (CTS  observations)  of  the  attack.  Fig.  6.1  shows  the  average 
required  number  of  samples  needed  for  detection  of  an  optimal  attacker  for  different  in¬ 
tensity  of  interference,  with  respect  to  the  absolute  gain  System  performance  is 

evaluated  for  n  =  1,3  and  10.  For  large  values  of  it  can  be  observed  that  intense 
interference  conditions  (reflected  in  the  SINK  values  of  3-4  dB)  can  increase  the  number 
of  required  samples  by  85%  —  120%  compared  to  the  case  when  no  interference  is  present. 
It  is  also  worth  mentioning  that  as  the  aggressiveness  of  an  attacker  increases,  the  number 
of  samples  needed  for  detection  decreases,  regardless  of  the  SINK  values.  However,  in  real 
IDSs,  the  PpA  needs  to  be  much  lower  than  the  one  used  in  most  theoretical  analysis  in 
current  literature  [23,  22].  As  a  consequence,  the  detection  delay  in  the  presence  of  in¬ 
tense  interference  is  still  significantly  higher  than  in  conditions  without  interference,  even 
for  more  aggressive  attacks.  This  will  be  demonstrated  in  the  remainder  of  this  chapter. 
Finally,  we  observe  that  for  SINR>  8dB,  the  performance  of  the  detection  scheme  is  not 
affected  significantly  by  interference  due  to  the  fact  that  most  RTS/CTS  messages  are 
received  correctly.  Hence,  interference  can  be  viewed  as  an  aid  to  the  adversary  in  the 
sense  that  it  provides  him  additional  benefit  by  prolonging  detection.  Consequently,  this 
leads  to  raising  the  cost  of  detection.  Due  to  different  lengths  of  RTS  and  CTS  messages, 
the  number  of  samples  needed  to  detect  misbehavior  is  lower  when  CTS  messages  are 
used  in  measurements.  For  example,  for  SINR  values  of  3-4  dB,  a  =  fi  =  0.01,  we  observe 
an  increase  of  85  —  100%  in  the  number  of  required  samples  compared  to  that  with  no 
interference.  Therefore,  when  assigning  observer  roles  to  nodes,  emphasis  should  be  given 
to  those  nodes  that  are  located  within  range  of  the  receiver.  The  amount  of  additional 
measurements  needed  for  detection  expressed  in  the  form  of  PER  for  different  values  of 
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SINK  is  presented  in  Fig.  6.2. 


Figure  6.2:  PER[%]  as  a  function  of  SINK  for  RTS  and  CTS  messages 

R  can  be  observed  from  Fig.  6.1  and  Fig.  6.2  that  as  a  result  of  interference  the 
observer  may  not  hear  RTS  or  CTS  messages,  which  results  in  a  corrupted  observation 
sequence  and  detection  delay.  Given  the  fact  that  timely  detection  of  attacks  is  of  crucial 
importance  in  wireless  environments,  this  represents  a  significant  obstacle.  In  the  remain¬ 
der  of  this  section  we  will  perform  detailed  analysis  of  possible  interference  scenarios  and 
their  impact  on  the  performance  of  detection  schemes.  We  will  analyze  the  worst-case 
performance  of  the  detection  scheme  and  establish  performance  bounds. 

6.2  Problem  setup 

Before  proceeding  towards  a  formal  analysis  of  the  interference  problem  at  the  ob¬ 
servers  side,  we  first  address  the  issue  at  the  attackers  side.  In  this  work  we  assume  that 
the  goal  of  the  attacker  is  to  deny  medium  access  to  legitimate  protocol  participants.  The 
attacker  achieves  this  by  adopting  strategies  that  give  him  higher  access  probability  and 
consequently  increase  his  own  gain.  In  the  presence  of  interference  we  assume  the  attacker 
attempts  to  access  the  medium  with  the  same  strategy  that  was  presented  in  Chap.  4. 
However,  due  to  low  SINR,  it  may  miss  CTS  message  from  the  receiver  and  not  send  any 
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data.  We  now  note  that,  although  the  adversary  does  not  gain  access  to  the  medium,  in 
this  case  the  main  goal  is  achieved:  (i)  the  adversary  transmits  RTS  message  and  silences 
his  neighborhood  for  the  duration  of  the  potential  data  transmission  and  (ii)  the  receiver 
sends  CTS  message  which  silences  his  own  neighborhood,  just  as  if  the  whole  exchange 
of  data  were  successful.  Hence,  the  adversary,  whose  goal  is  to  deny  access  to  legitimate 
participants,  still  achieves  his  goal  in  the  presence  of  interference  and  need  not  change 
his  own  strategy.  On  the  other  hand,  the  presence  of  errors  at  the  detector’s  side  will 
result  in  delayed  detection  and  needs  to  be  considered.  In  this  scenario,  we  assume  that 
the  detector  experiences  interference  and  fails  to  detect  a  new  control  message  sent  by  an 
attacker  with  probability  p2-  As  a  consequence,  the  detector  will  no  longer  observe  the 
original  attacker’s  strategy  /i(x).  Instead,  it  will  observe  the  new  back-off  distribution, 
fi{x)  which  is  generated  according  to  the  following  set  of  rules: 

1.  The  real  back-off  xi  is  observed  with  probability  1  —  p2] 

2.  back-off  xi  +  X2  is  observed  with  probability  P2(l  ~  P2)  (one  transmission  of  the 
attacker  is  not  observed); 

3.  back-off  xi+  X2  +  X3  is  observed  with  probability  ^1(1  ~  P2)  (2  transmissions  of  the 
attacker  are  not  observed); 

4.  ... 

5.  back-off  xi  Xj  is  observed  with  probability  p^2~^i^  ~  P‘2)  (i'l  transmissions  of 

the  attacker  are  not  observed); 

where  each  back-off  Xi  is  generated  according  to  the  original  pdf  /i(x)  given  by  the 
Eq.  (4.21).  For  example,  the  new  pdf  generated  by  missing  one  transmission,  can  be  cal¬ 
culated  as  P{Xi+X2  <  Y),  which  is  nothing  else  but  convolution  of  fi{x)*  fi{x).  In  order 
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Figure  6.3:  Noise  diagram. 

to  illustrate  this,  we  present  a  simple  scenario  in  Fig.  6.3.  We  assume  the  malicious  node 
M  attempts  to  access  the  channel  using  the  optimal  pdf  fi{x),  generating  corresponding 
back-off  values  hi.  When  no  interference  is  present,  an  observer  (detector)  that  is  mea¬ 
suring  back-off  values  of  neighboring  stations  measures  time  periods  between  successive 
RTS  messages,  Ti  and  calculates  the  corresponding  back-off  values  hi  (an  example  of  such 
calculation  is  provided  in  Chap.  3  or  in  [27]).  However,  if  the  observer  misses  the  second 
control  message,  it  measures  back-off  -|-  62  a  time  instance  t2  instead  of  registering  two 
successive  back-off  values  hi  and  62  at  time  instances  ti  and  ^2  respectively.  Depending  on 
the  duration  of  interference,  the  observer  retrieves  a  corrupted  back-off  sequence,  which 
results  in  detection  delay. 


6.2.1  Derivation  of  the  worst-case  attack  in  the  presence  of  interference 


In  this  section  we  derive  an  expression  for  the  worst-case  attack  in  the  presence 
of  interference  following  the  framework  from  Chap.  4  and  evaluate  the  performance  loss 
of  the  detector  in  such  scenarios.  We  assume  that  the  adversary  generates  the  back-off 
sequence  using  an  optimal  pdf  /*(x).  As  a  consequence  of  interference,  the  detector  ob¬ 
serves  a  different  back-off  sequence  and  a  different  pdf  of  both  the  adversary  and  legitimate 
participant:  /*(x)  and  fo{x)  respectively.  Following  the  approach  from  Chap.  4,  the  de¬ 
tection  delay  is  inversely  proportional  to  f  fi{x)  log  However,  /o(x)  is  no  longer 

/o 
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uniform  and  now  the  problem  of  finding  the  attack  that  maximizes  the  required  number 
of  observations  needed  for  detection  reduces  to  the  problem: 

min  [  f^{x)log^^J^dx  (6.1) 

/i*  J  fo{x) 

subject  to  the  constraints, 

J  xfi{x)dx  <  rj  and  J  xfi{x)  dx  =  1  (6.2) 

where  rj  has  the  same  meaning  as  in  Chap.  4.  We  now  observe  that  the  constraints  from 
Eq.  (6.2)  are  with  respect  to  fi{x)  and  the  original  expression  in  Eq.  (6.1)  that  needs  to 
be  minimized  is  with  respect  to  fi{x).  In  order  to  derive  an  expression  for  the  optimal 
pdf  we  first  prove  the  following  claim: 

Claim  6.2.1.  Imposing  constraints  on  fi{x)  is  equivalent  to  imposing  constraints  on 
fi{x),  i.e.  there  exists  a  linear  relation  between  the  constraints  with  a  known  factor. 

Proof.  Assuming  that  the  probability  of  missing  a  control  message  sent  by  an  attacker  is 
P2,  the  expression  for  /f  (x)  can  be  expressed  as: 

flix)  =  (1  -P2)/l*(x)  +P2(1  -f2)/l*  *  /i*(x)  +P2(1  -P2)fl  *  /l*  *  fl{x)  +  ...  (6.3) 


where  denotes  convolution.  Applying  the  Laplace  transform  to  the  Eq.(6.3)  yields: 


Ff{s)  =  {l-p^)Ff{s)+p2{l-p2){Fff{s)  +pl{l-p^){Fff{s)  +  ...  (6.4) 

After  applying  the  well  known  properties  of  the  Laplace  transform:  F(0)=1  and  f  xf{x)dx 

to  the  Eq.  (6.4),  the  following  expression  is  obtained: 


dFffs) 
ds  |s=o 


By  using  n=o=~  f  xf{x)  dx  it  is  now  easy  to  derive  from  Eq.(6.5)  that 


=  [(1  - P2)  +  2p2(l  - P2)  +  3pi(l  -p2)  +  ...] 


dFf{s) 
ds  |s=o 


(6.5) 


xfi{x)  dx  = 


1  -P2 


xfi  (x)  dx 
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which  concludes  the  proof. 


□ 


We  now  transfer  the  constraints  from  fi{x)  to  fi{x)  and  form  the  following  La- 


grangian: 


L{KlA=  [  dx  +  X  [  xf^{x)dx  +  n  [  fi{x)dx 

J  fo{x)  J  J 


(6.6) 


where  /x  is  the  Lagrange  multiplier  corresponding  to  equality  constraints  and  A  is  the 
Karush-Kuhn- Tucker  (KKT)  multiplier  corresponding  to  the  inequality  constraint.  The 
KKT  conditions  can  be  expressed  as  follows: 

1.  =  0 

2.  A  >  0 

3.  \{j  xfi{x)  dx  —  r])  =  0 


4.  f  fi{x)  dx  =  1 


5.  f  xfi{x)  dx  <rj 


In  order  to  derive  a  result  using  the  condition  (1),  we  apply  the  method  of  variations  to 
Eq.(6.6).  In  order  to  proceed  further,  we  assume  that 


=  {I  -  e)fl{x)  +  e5{x) 

which  corresponds  to  perturbation  around  fi{x).  By  replacing  fi{x)  with  fi^{x)  in 
Eq.  (6.6),  the  criterion  becomes  a  function  of  e.  Consequently,  if  fi{x)  is  optimum,  then 
the  derivative  with  respect  to  e  at  e  =  0  must  be  0.  If  we  take  the  derivative  and  set  e  =  0, 
we  obtain 

f  {6{x)  log  +S{x)  +  Xx6{x)+fi6{x))dx  =  f  (5(a;)(log  +l  +  Xx+fi)dx  =  0  (6.7) 

J  fo{x)  J  fo{x) 
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Since  the  Eq.(6.7)  must  be  valid  for  any  density  (5(x),  the  following  expression  for  fi{x) 
is  obtained: 

log  +  l  +  Ax  +  ^  =  0 
fo{x) 

and  consequently 

/^(x)  =  /o(x)e-i-^e-^"  (6.8) 


By  analyzing  the  second  KKT  condition,  A  >  0,  for  (i)  A  =  0  and  (ii)  A  >  0,  we  conclude 
that  A  >  0  at  all  times,  i.e.  all  constraints  are  active.  We  now  observe  that  fi{x)  from 
Eq.  (6.8)  is  of  exponential  nature  only  if  /o(x)  is  either  exponential  nature  or  constant  (as 
in  Chap.  4).  Due  to  the  fact  that  /o(x)  ~  Unif[0,  W] 


Fo{s) 


1  - 


It  is  now  easy  to  derive  the  relation  between  Fq(s)  and  Fq(s)  from  Eq.(6.3): 


Fo{s)  =  (1  -P2)Eo(s)(1  +p,F,{s)+pIF^{s)  +  ...)=  (6.9) 

Obviously,  /o(x)  is  neither  constant  nor  exponential,  which  results  in  fi  (x)  not  being 
of  exponential  nature  any  more.  Consequently,  the  analysis  from  the  previous  chapters 
is  no  longer  valid.  Although  the  adversary  still  accesses  the  channel  using  the  pdf  /i  (x) 
(and  denies  channel  access  to  the  legitimate  participants  for  the  same  amount  of  time)  and 
the  legitimate  participants  access  the  channel  using  the  uniform  pdf  /o(x),  the  detector 
observes  different  access  distributions  for  both  the  adversary  and  legitimate  participants, 
which  results  in  different  detection  delay.  We  now  propose  a  framework  for  establishing 
performance  bounds  of  the  adversary  and  the  IDS  in  the  presence  of  interference. 
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Figure  6.4:  Markov  Chain  representation  of  the  system.  Each  state  corresponds  to  a 
different  SINK  level. 

6.3  FSM  for  SINK  variation 

As  it  has  previously  been  pointed  out,  the  detector  will  miss  an  observation  with 
certain  probability,  which  consequently  results  in  erroneous  back-off  observations.  In  this 
analysis  we  adopt  the  approach  from  [28]  and  apply  it  to  the  case  of  the  IEEE  802.11 
noisy  environment. 

6.3.1  System  model 

Let  S  =  si,  S2,  •  •  • ,  sk  denote  the  state  space  of  a  Markov  chain  with  K  states. 

Each  of  the  observed  K  states  corresponds  to  a  certain  SINK  level.  We  assume  that 

each  SINK  level  results  in  a  corresponding  observation  error  at  the  detector’s  side.  More 

specifically,  we  assume  that  SINRi  results  in  observing  back-off  Xi  =  xi  +  . . .  +  Xi  instead 

of  observing  separate  back-off  values  xi,X2,  ■  ■  ■  ,Xi.  Consequently,  we  assume  that  the 

detector  observes  an  erroneous  back-off  generation  pdf  in  each  state  i  /  1,  equal  to 

/*(x)  =  fi{x)  *  . . .  *  fi{x),  where  denotes  convolution.  A  system  is  said  to  be  in 
i 

the  state  s*  if  the  corresponding  SINK  values  are  in  the  range  [rfc,rfc_|_i).  Consequently, 
the  system  can  be  characterized  with  the  following  set  of  thresholds:  F  =  [Fi, . . .  ,Fif_|_i]. 
Furthermore,  let  Pij  and  VTi  represent  the  state  transition  probability  and  the  steady  state 
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probability  respectively.  We  assume  the  transitions  happen  between  the  adjacent  states, 
resulting  in  j  =  0  for  \k  —  i\  >  1.  The  actual  values  of  the  thresholds  and  transition 
probabilities  can  be  obtained  by  simulation  (i.e.  in  [28])  and  the  analysis  of  methods  used 
for  such  performance  evaluation  is  beyond  scope  of  this  thesis. 

6.3.2  Performance  analysis 

In  order  to  evaluate  the  performance  of  the  IDS  in  the  presence  of  interference  we  first 
return  to  Fig.  6.4.  It  has  already  been  mentioned  that  in  each  state  of  the  Markov  chain  the 
detector  observes  a  different  back-off  sequence,  i.e.  in  state  i,  the  observed  back-off  will  be 
xi-|-. .  .+Xi  and  the  detector  will  register  a  single  (large)  back-off  value  instead  of  registering 
i  separate  (small)  back-off  values.  We  now  observe  the  worst-case  scenario,  when  i  oo. 
Since  xi,  X2, . . .  is  a  sequence  of  random  variables  which  are  defined  on  the  same  probability 
space,  they  share  the  same  probability  distribution  and  are  independent,  the  distribution 
of  their  sum  S'*  =  xi  approaches  the  normal  distribution  Af(i/U,  a^i).  Hence, 

for  K  (from  Fig.  6.4)  sufficiently  large,  the  distance  between  the  observed  distributions 
becomes  the  distance  between  and  M{Kno,aQK),  where  Uj,  i  =  0, 1 

represent  the  mean  and  variance  of  legitimate  and  adversarial  distributions. 

Due  to  the  fact  that  the  detection  delay  K[N]  is  inversely  proportional  to  the  KL- 
distance  between  the  original  and  adversarial  distributions,  the  only  fact  we  are  interested 
in  at  this  point  is  how  this  distance  changes  as  the  interference  level  increases.  For  this 
analysis  we  again  return  to  the  Markov  chain  in  Fig.  6.4.  We  now  observe  states  i  and 
i  -|-  1  of  the  Markov  chain.  We  observe  that  the  corresponding  distributions  in  states  i 
and  i  +  1  are  /*,  foi  and  /*+i,  /o(j+i)  respectively.  Using  the  proof  from  [29]  we  form  the 
following  Lemma: 


71 


Figure  6.5:  Performance  comparison  of  the  detection  scheme  with  and  without  interference 


for  =  0.8. 


Lemma  6.3.1.  If  the  distributions  at  states  i  and  i  +  1  of  the  Markov  ehain  are  ff,  foi 
and  ff^^,  /o(i+i)  respectively,  then  D{ff\\fQi)  >  L>(/*+il|/o(i+i))  for  all  i>l. 


The  above  lemma  states  that  the  KL-distance  between  the  original  and  the  adver¬ 
sarial  distributions  decreases  as  i  increases.  Knowing  that  i  increases  with  the  increase 
of  interference  level  (or  decrease  in  the  SINK  level),  we  conclude  that  the  KL-distance 
between  the  observed  distributions  decreases  with  the  increase  of  interference.  Since  the 
detection  delay  E[A^]  is  inversely  proportional  to  the  KL-distance,  it  is  easy  to  see  that 
the  detection  delay  increases  with  the  increase  of  interference  level  in  the  system.  This 
result  was  expected  even  by  intuitive  analysis,  since  the  detector  observes  larger  back-off 
sequences  than  the  actual  ones,  which  logically  leads  to  delay  in  detection  (i.e.  the  detec¬ 
tor  believes  that  the  adversary  is  accessing  the  channel  using  legitimate  back-off  function) . 
In  order  to  illustrate  the  impact  of  interference  on  the  performance  of  a  detection  scheme, 
we  simulate  the  interference  scenario  where  the  detector  observes  back-off  xi  +  X2  instead 
of  two  separate  back-off  values  for  the  value  of  absolute  gain  =  0.8.  The  results  are 
presented  in  Fig.  6.5.  We  can  see  that  even  low  interference  level  has  significant  impact 
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on  the  performance  of  the  detector  and  the  detection  delay  increases  up  to  50%. 

We  now  quantify  the  impact  of  interference  at  the  performance  of  the  IDS  in  terms 
of  Pd  and  PpA-  It  is  known  from  [25]  that  Pd  decreases  as  the  distance  between  the 
observed  distribution  decreases. As  a  consequence  of  this  change,  the  operating  point  of 
the  detection  system  shifts  from  {PpAi ,  Pdi  )  to  {PfA2  >  Pd2  )  >  where  Pd^  >  Pd2  PpAx  > 
PfA2  ■  Consequently,  with  the  increase  in  interference  levels  will  force  the  IDS  towards  the 
operating  point  PDfc)=(0,0).  The  interpretation  of  this  result  is  that  the  features 

of  the  deployed  IDS  are  not  good  enough  for  the  environment  and  that  either  more  IDSs 
need  to  be  deployed  or  another,  more  robust,  IDS  needs  to  be  deployed. 

We  now  observe  that  the  presence  of  interference  can  severely  affect  the  detector’s 
performance.  The  solution  to  this  problem  is  to  have  multiple  detectors  with  different 
sensitivity  levels  available  and  depending  on  the  requirements  of  the  IDS  and  environment 
conditions,  decide  which  ones  to  use.  For  example,  in  systems  where  timely  decision 
making  is  of  crucial  importance,  the  deployed  IDSs  need  to  be  more  robust  to  interference 
(and  thus  more  expensive  [22] )  and  it  is  also  advisable  to  deploy  multiple  detectors  in  order 
to  minimize  the  probability  of  error  in  decision  making.  Finally,  as  we  have  seen,  it  is 
important  not  only  to  detect  a  quickest  detection  system,  but  the  crucial  step  in  designing 
a  precise  and  robust  IDS  is  to  evaluate  the  environment  in  which  it  will  be  operating 
and  be  able  to  provide  certain  performance  guarantees,  such  as  that  in  environments  with 
SINR<SINRc,  the  system  will  be  able  to  to  guarantee  detection  delay  Tp.  with  PpAi,  Pdi- 
If  the  guarantees  do  not  satisfy  the  needs  of  the  system,  either  a  more  expensive  detection 
system  needs  to  be  purchased  or  alternative  detection  methods  need  to  be  deployed. 
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Chapter  7 

Cross-entropy  minimization  and  its  applications  in  intrusion  detection 

In  [26]  the  problem  of  quickest  detection  of  an  optimal  attacker  was  considered  and 
the  performance  was  evaluated  based  on  the  average  detection  delay.  A  specific  class 
of  exponential  functions  was  found  to  represent  the  worst  case  attack  scenario.  In  this 
work  we  present  the  first  step  towards  building  a  general  procedure  for  constructing  an 
optimal  attack  scenario  in  the  MAC  layer  under  general  set  of  constraints  that  can  be 
adapted  based  on  specific  requirements  of  an  IDS.  To  achieve  this,  we  use  the  principle 
of  minimum  cross-entropy  [30]  which  represents  a  general  method  of  inference  about  an 
unknown  probability  density  and  given  new  information  in  the  form  of  constraints  on 
expected  values.  More  specifically,  we  use  the  fact  from  [31]  that  given  a  continuous  prior 
density  and  new  constraints,  there  is  only  one  posterior  density  satisfying  these  constraints 
and  can  be  obtained  by  minimizing  cross-entropy.  Using  the  before  mentioned  facts,  we 
show  that  the  general  expression  for  the  worst-case  optimal  attack  in  the  IEEE  802.11 
MAC  is  of  exponential  nature. 

7.1  Analysis  of  single  and  multi-stage  attacks 

The  principle  of  minimum  cross-entropy  provides  a  general  method  of  inference 
about  an  unknown  probability  density  (?/(x)  when  there  exists  a  prior  estimate  and  new 
information  I  about  qf{x)  in  the  form  of  constraints  on  expected  values.  In  this  notation 
X  represents  a  state  of  a  system  that  has  B  possible  states,  corresponding  to  possible 
back-off  choices.  In  addition  to  that  we  introduce  the  set  T)  of  all  probability  densities 
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q{x)  on  B  such  that  q{x)  >  0  for  x  G  B.  The  principle  states  that,  of  all  densities  that 
satisfy  the  constraints,  one  should  choose  the  posterior  qf{x)  with  the  least  cross-entropy 

H[qf,p\  =  J  g(x)  log  ^||ydx,  (7.1) 

where  p{x)  is  a  prior  estimate  of  (?/(x)  [30] .  Furthermore,  in  [31] ,  the  authors  show  that  the 
principle  of  minimal  cross-entropy  is  the  uniquely  correct  method  for  inductive  inference 
when  new  information  is  given  in  the  form  of  expected  values.  More  specifically,  given 
information  in  the  form  of  constraints  on  expected  values,  there  is  only  one  distribution 
satisfying  the  constraints  that  can  be  chosen  by  a  procedure  that  satisfies  the  consistency 
axioms.  To  apply  this  principle  to  the  problem  of  MAC  layer  misbehavior  detection  we 
need  to  note  that  the  goal  of  the  attacker  is  to  achieve  maximal  gain  over  a  certain  period 
of  time,  while  minimizing  the  probability  of  detection  Po.  We  assume  the  existence  of 
the  set  of  constraints  3  that  describe  the  effects  of  the  desired  attack.  Additionally,  we 
assume  that  3  consists  of  several  overlapping  constraint  subsets  3i  C  32  ■  ■  ■  C  3i . . .  C  3k, 
where  3i  corresponds  to  the  DoS  attack  and  3k  corresponds  to  the  normal  behavior. 
More  specifically,  we  assume  that  the  decrease  in  the  index  i  corresponds  to  the  increase 
in  the  aggressiveness  of  the  attackers  strategy  (i.e.  by  decreasing  i  we  decrease  the  state 
space  from  which  the  possible  back-off  values  can  be  chosen,  restricting  the  attacker  to 
choose  from  the  set  consisting  of  low  back-off  values).  As  the  coefficient  i  increases,  the 
constraints  on  the  attackers  pdf  are  relaxed  and  the  behavior  converges  towards  normal. 
Finally,  we  revisit  the  definition  of  constraint  I  representing  it  using  the  constraint  set 
notation  as  /  =  (gj  G  U). 

ft  has  already  been  mentioned  that  qf  denotes  the  attacker’s  desired  probability 
density  function.  The  prior  pdf  p  is  an  estimate  of  qf  prior  to  learning  the  constraints 
imposed  upon  the  pdf.  In  our  scenario,  p  is  uniform  due  to  the  fact  that  every  legitimate 
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participant  in  the  IEEE  802.11  protocol  chooses  his  back-off  according  to  the  uniform 


pdf.  Given  the  uniform  prior  p  and  the  new  information  in  the  form  of  constraints  on  the 
expected  value, 


J  xfi{x)dx<3f  (7-2) 

where  3/  is  the  final  constraint,  the  posterior  density  (7/  is  chosen  by  minimizing  the 
cross-entropy  H[qf,p\  in  the  constraint  set  Jf. 

H[qf,p\  =  min  H[q',p]  (7.3) 

q'£3f 

The  above  equation  describes  the  behavior  of  a  non-adaptive  intelligent  attacker. 
Namely,  the  attacker  chooses  to  diverge  from  the  original  uniform  pdf  to  the  new  pdf  /i 
in  one  step.  This  strategy  leads  to  sudden  changes  in  the  wireless  medium  and  sudden 
decrease  in  throughput.  It  has  been  shown  in  [27]  that  the  above  set  of  constraints  leads 
to  the  attack  strategy  that  is  detected  after  observing  N  back-off  samples,  assuming  that 
the  IDS  relies  solely  on  the  detection  based  on  the  number  of  back-off  samples  counted 
in  the  given  time  interval.  However,  if  this  detection  strategy  is  combined  with  any 
change  detection  mechanism  that  aims  to  detect  sudden  changes  in  the  number  of  dropped 
packets  (such  as  watchdog  [8])  or  throughput,  the  existence  of  the  attacker  can  be  detected 
much  earlier.  We  instead  propose  an  adaptive  intelligent  strategy  that  converges  from  the 
original  uniform  pdf  towards  the  desired  qj  in  k  steps,  where  k  is  chosen  according  to  the 
attacker’s  strategy. 

The  first  one  involves  aggressive  approach,  where  the  attacker  diverges  from  the 
uniform  pdf  by  choosing  a  subclass  of  pdf’s  with  small  back-off  values,  resulting  in  the 
final  pdf  qf{x).  Alternatively,  the  attacker  may  choose  to  converge  towards  the  desired 
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pdf  in  2  (or  more  steps).  We  now  prove  that  the  attacker  converges  towards  the  same 
final  pdf,  regardless  of  the  number  of  steps  involved  if  certain  conditions  regarding  the 
constraints  are  fulfilled. 

Proposition  7.1.1.  Assume  the  eonstraints  Ii  and  I2  are  given  by  h  =  (g/  G  3i)  and 
h  =  (9/  £  '^2)  for  eonstraint  sets  Ui,  112  G  T>.  If  {p  o  Ii)  G  U2  holds,  then  qj  =  p  o  Ii  = 
po  (Ji  A  h). 

In  other  words,  the  above  proposition  states  that  if  the  result  of  taking  information 
Ii  into  account  already  satisfies  the  constraints  imposed  by  additional  information  I2,  then 
taking  I2  into  account  doesn’t  change  the  final  outcome.  The  proof  follows  the  same  lines 
as  the  one  in  [31]. 


Proof.  It  is  known  by  the  definition  that  {pop)  G  Hi  holds.  Additionally,  by  the  assump¬ 
tion  {p  o  Ii)  G  (Hi  n  H2)  holds  as  well.  By  using  the  properties  of  o  operator  defined  in 
[31],  the  following  set  of  equations  can  be  derived: 

poh  =  {poIi)o  {h  A  I2)  =  {po  h)  o  I2  (7.4) 

Finally,  using  the  fact  that  g/  =  po  I  has  the  smallest  cross-entropy  of  all  densities  in  Hi 
and  consequently  in  Hi  n  H2.  □ 

The  correspondence  to  the  strategy  of  an  adaptive  intelligent  attacker  is  now  obvious. 
The  constraint  p  corresponds  to  the  more  aggressive  attack  strategies  that  incur  larger 
gain  within  a  short  period  of  time  by  choosing  small  back-off  values.  This  strategy  results 
in  the  final  pdf  gj  after  taking  into  consideration  the  constraint  p.  If  the  attacker  first 
chooses  a  milder  strategy  by  choosing  constraint  p  that  picks  back-offs  from  a  larger  set  of 
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values,  the  final  pdf  differs  from  qj  and  is  denoted  as  pM-  By  knowing  that  constraint  set 
Ii  already  satisfies  the  constraints  imposed  by  I2  and  applying  the  previous  proposition, 
we  arrive  to  the  conclusion  that  regardless  of  the  number  of  steps  applied,  the  final  pdf 
of  the  attacker  will  always  be  qj  if  the  constraints  applied  in  the  adaptive  strategy  are 
already  included  by  the  most  aggressive  strategy. 

7.2  Derivation  of  the  worst-case  attack  using  the  principle  of  minimum  cross¬ 
entropy 

We  now  proceed  with  the  description  of  the  attacker.  We  assume  that  the  attacker 
is  intelligent:  he  is  aware  of  the  existence  of  monitoring  neighboring  nodes  and  adapts 
its  access  policy  in  order  to  avoid  detection.  In  addition  to  that,  the  attacker  has  full 
information  about  the  properties  of  the  employed  IDS  and  its  optimal  detection  strategy. 
Unlike  [26],  we  assume  that  the  attacker  does  not  choose  a  single  strategy  belonging  to  a 
specified  class  of  pdf’s  for  the  whole  length  of  the  attack.  We  assume  that  the  attacker’s 
goal  is  to  obtain  a  long  term  gain  by  gradually  changing  his  access  policy.  The  attacker 
adapts  to  the  new  conditions  in  the  system  after  the  expiration  of  period  At  and  updates 
its  pdf  given  the  new  set  of  constraints.  Therefore,  the  goal  of  the  attacker  is  twofold: 

•  to  diverge  from  the  original  pdf  step  by  step  by  minimizing  the  distance  between 
the  original  and  new  distribution 

•  to  constantly  update  his  access  policy  by  relaxing  the  initial  constraints 

It  has  been  pointed  out  in  [26]  that  the  derived  exponential  pdf  had  the  minimal 
differential  entropy  (which  is  equivalent  to  the  case  of  the  maximum  entropy  when  uniform 
priors  are  used)  over  all  pdf’s  in  the  class  of  functions  of  interest.  We  now  use  the  cross- 
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entropy  principle  to  show  that  all  optimal  attacks  have  pdf’s  that  belong  to  the  class  of 
exponential  functions.  Depending  on  the  specific  environmental  parameters,  such  as  Pd, 
PpA,  the  aggressiveness  of  the  attack,  the  attack  speed  etc.  a  specific  subclass  (which  is 
again  of  exponential  nature)  that  satisfies  the  defined  constraints  is  derived. 

We  now  derive  the  general  solution  for  cross-entropy  minimization  given  arbitrary 
constraints  and  illustrate  the  result  with  the  specific  IEEE  802.11  MAC  attack  defined 
in  Chap.  4.  The  cross-entropy  method  can  be  outlined  as  follows.  Given  a  positive  prior 
density  p  and  a  finite  set  of  constraints: 


J  q{x)dx  =  1,  (7.5) 

j  fk{x)q{x)dx  =  fk,  k  =  l,...,m  (7.6) 

we  wish  to  find  a  density  q  that  minimizes 

H{q,p)  =  J  g(x)  log  (7.7) 

subject  to  the  given  set  of  constraints.  By  introducing  Lagrange  multipliers  (3  and  Xk  {k  = 
1, . . . ,  m)  corresponding  to  the  constraints,  the  following  expression  for  the  Lagrangian  is 
obtained: 


L{q,/3,Xk,k  =  l,...,m)  = 

+ 

+ 


m  « 

fk{x)q{x)dx  -  fk) 


Thus  the  condition  for  optimality  is: 
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(7.8) 


Solving  for  q  leads  to 


log 


q{x) 

p{x) 


+  1  +  /3  +  ^kfk{x)  —  0. 

k=l 


q{x)  =  p{x)exp 


-Ao  -  ^  Afc/fc(x) 


k=l 


(7.9) 


with  Ao  =  /3  +  1.  The  cross-entropy  at  the  minimum  can  be  expressed  in  terms  of  the  Xk 
and  fk  as 


H{q,p)  =  -Xo-Y,>^kfk  (7.10) 

k=l 

It  is  necessary  to  choose  Aq  and  Xk  so  that  all  the  constraints  are  satisfied.  In  the  presence 
of  the  constraint  (7.5)  we  can  rewrite  the  remaining  constraints  in  the  form 


ifkix)  -  fk)q{x)dx  =  0 


(7.11) 


If  we  find  values  for  the  Xk  such  that 


-  fi)p{x)exp{- ^  Xkfk{x))dx  =  0 


fc=i 


the  constraint  (7.11)  is  satisfied  and  (7.5)  is  satisfied  by  setting 


(7.12) 


Ao  =  log  /  p{x)exp  -'^Xkfk{x)  dx. 


k=l 


(7.13) 


If  the  solution  of  Eqn.  (7.13)  can  be  found,  the  values  of  Xk  can  be  found  from  the  following 
relation: 


d 

dXk 


Ao 


fk 


(7.14) 
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By  finding  all  the  parameters  from  the  given  set  of  constraints,  the  attacker  derives  the 
new  optimal  pdf,  q{x),  that  minimizes  cross-entropy.  Due  to  the  fact  that  the  attacker 
aims  to  achieve  a  certain  gain  over  a  long  period  of  time,  we  assume  that  the  attacker 
will  modify  his  access  policy  by  using  q(x)  until  new  information  about  the  system  is 
collected.  At  that  point  the  attacker  again  applies  the  procedure  outlined  in  Eq.  (7.5)- 
(7.14)  and  calculates  the  new  pdf,  qi{x),  diverging  from  the  original  uniform  distribution 
even  further. 


7.3  Optimal  Attack  Scenario  in  the  MAC  Layer  Using  the  Cross-entropy  Method 


We  now  apply  the  results  from  Sect.  7.2  to  the  specific  case  of  an  attack  in  the 
IEEE  802.11  MAC.  Due  to  the  fact  that  every  node  in  the  IEEE  802.11  MAC  protocol 
is  assumed  to  back-off  uniformly,  the  attacker’s  initial  pdf  p{x)  is  assumed  to  be  uniform 
over  the  interval  [0,IU].  The  attacker  wants  to  adapt  to  the  conditions  of  the  wireless 
environment  by  diverging  from  p{x)  and  choosing  the  new  pdf  q{x).  In  general,  we  claim 
that  the  posterior  distribution  q  can  be  expressed  as  a  function  of  the  prior  distribution 
and  the  newly  obtained  information  q  =  po  I,  where  I  stands  for  the  known  constraints 
on  expected  values  and  o  is  an  ’’information  operator”  [31]. 

Using  the  results  of  the  attack  analysis  from  [27]  the  following  set  of  constraints  is 
obtained  for  the  attacker’s  posterior  pdf  q{x): 

rW 

/  q{x)dx  =  l  (7.15) 

Jo 


and 


(7.16) 


~  •  /  xq{x)  dx  <  Cl 

where  Ci  =  f{r],  n).  Constraint  (7.15)  is  due  to  the  properties  of  a  pdf  and  the  constraint 
(7.16)  was  obtained  in  [27]  by  bounding  the  long-term  probability  of  channel  access  in 
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the  scenario  with  one  malicious  node  and  n  legal  nodes.  The  above  class  includes 
all  possible  attacks  for  which  the  incurred  relative  gain  exceeds  the  legitimate  one  by 
(ry  —  1)  X  100%.  The  class  !Fri  is  the  uncertainty  class  of  the  robust  approach  and  r/  is  a 
tunable  parameter.  Using  the  derivations  from  Sect.  7.2  and  a  uniform  prior,  the  following 
expression  for  the  optimal  pdf  q{x)  is  derived: 


q{x) 


Ai 

lT(e^i 


1) 


(7.17) 


where  the  parameter  Aq  has  been  expressed  as  a  function  of  Ai.  The  parameter  Ai  is  a 
solution  to  the  following  equation: 


,  1  1 


n-\-\  —  rj 
nr] 


(7.18) 


After  the  period  of  At  the  attacker  takes  into  account  new  conditions  in  the  form 
of  the  newly  imposed  constraints  I  and  using  q{x)  as  a  prior  calculates  the  new  optimal 
pdf  qi{x). 
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Chapter  8 

Cross-layer  impact  of  optimal  attacks 

Under  regular  conditions  the  MAC  layer  has  to  go  through  multiple  transmissions 
before  detecting  a  link  failure.  The  detection  delay  induced  by  additional  congestion  due 
to  the  presence  of  one  or  more  attackers  causes  the  feedback  delay  to  the  routing  layer.  We 
now  prove  that  an  intelligent  attacker  acting  under  the  optimal  strategy  described  with 
the  pdf  /i(x)  derived  in  Chap.  4  can  cause  devastating  effects  in  the  network  layer  if  no 
MAC  layer-based  IDS  is  employed.  Furthermore,  we  show  that  by  employing  a  quickest 
detection  scheme  proposed  in  Chap.  4,  the  effects  of  such  attacks  can  be  easily  prevented 
by  isolating  the  detected  attacker  at  the  origin  of  the  attack.  Finally,  we  propose  a  cross¬ 
layer  based  cooperation  scheme  that  is  mainly  oriented  towards  preventing  propagation  of 
local  effects  of  MAC  layer  attacks. 

We  start  our  analysis  by  observing  the  scenario  presented  in  Fig.  8.1  where  selfish 
node  accesses  the  channel  by  using  an  optimal  attack  strategy.  When  the  back-off  counter 
decreases  to  zero,  the  selfish  node  sends  an  RTS  to  node  Int2,  which  replies  with  CTS.  The 
RTS  message  silences  Node2  which  is  in  the  wireless  range  of  the  selfish  node.  Sourcel 
and  Nodel  are  out  of  the  range  of  both  sender  and  receiver.  Under  the  assumption  that 
Sourcel  establishes  a  route  to  Destination!  through  Nodel  and  Node2,  it  is  reasonable 
to  assume  that  Nodel  will  attempt  to  transmit  to  Node2  during  the  transmission  period 
of  selfish  node  (we  assume  that  all  nodes  are  backlogged  and  always  have  traffic  to  send). 
Node2  is  silenced  by  selfish  node’s  RTS  and  is  not  able  to  reply  with  a  CTS.  After  a  time 
period  equal  to  CTS  timeout,  Nodel  increases  its  contention  window  exponentially  and 
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attempts  to  retransmit  upon  its  expiration.  We  assume  that  Nodel  constantly  attempts 


to  communicate  with  silenced  nodes  and  consequently  increases  its  contention  window 
until  it  reaches  its  maximal  value.  At  the  same  time,  Sourcel  sends  its  regular  traffic  to 
Nodel,  increasing  its  backlog  over  time.  As  the  misbehavior  coefficient  of  the  selfish  node 
increases  (or  equivalently  its  back-off  decreases),  the  selfish  node  gains  larger  percentage 
of  channel  access.  Consequently,  Node2  is  silenced  more  frequently,  increasing  the  backlog 
at  Nodel. 

Assuming  that  each  node  has  a  finite  buffer  of  size  i',  we  now  derive  a  general 
expression  for  expected  time  to  buffer  overflow  at  Nodel.  Furthermore,  by  analyzing  the 
scenario  in  Fig.  8.1  we  simplify  the  general  expression,  deriving  an  expression  applicable 
for  analysis  of  effects  of  an  optimal  attack.  We  show  by  analysis  an  simulation  that  if  no 
ID  mechanism  is  employed  in  the  MAC  layer,  the  optimal  MAC  attack  forces  legitimate 
nodes  to  drop  significant  number  of  packets  due  to  buffer  overflow.  If  a  watchdog-based  or 
a  more  sophisticated  reputation-based  detection  scheme  is  employed  in  the  network  layer, 
one  or  more  legitimate  nodes  can  easily  be  flagged  as  malicious  due  to  the  large  number 
of  dropped  packets. 

Finally,  we  analyze  the  scenario  presented  in  Fig.  8.2  and  present  the  effects  of  an 
optimal  MAC  layer  attack  on  routes  that  are  out  of  the  wireless  range  of  the  attacker. 
We  show  that  an  intelligent  attacker  can  easily  cause  route  failure  by  attacking  nodes 
that  belong  to  the  routes  with  the  highest  capacity.  The  results  are  presented  for  two 
routing  protocols:  Dynamic  Source  Routing  Protocol  (DSR)  [32]  and  Ad  hoc  On  Demand 
Distance  Vector  (AODV)  [33]. 
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Figure  8.1:  Node2  is  silenced  by  the  transmission  of  the  selfish  node.  Consequently,  Nodel 
drops  large  number  of  packets. 


Figure  8.2:  An  ongoing  attack  in  the  MAC  layer  breaks  the  original  route,  re-routing  the 
traffic  through  Node2>. 

8.1  Impact  of  MAC  Layer  Misbehavior  on  the  Network  Layer:  Time  to  Buffer 
Overflow 

As  it  has  been  mentioned,  the  secondary  effect  of  an  optimal  MAC  layer  attack 
can  be  as  devastating  as  the  primary  ones  with  respect  to  the  network  connectivity.  If 
no  alternative  route  can  be  found,  a  non-DoS  optimal  MAC  layer  attack  can  produce  a 
DoS-like  effects  in  the  network  layer  due  to  the  exponential  nature  of  the  IEEE  802.11 
DCE  back-off  algorithm  (such  as  causing  buffer  overflow  in  Nodel  from  Eig.  8.1).  This 
section  provides  a  comprehensive  analysis  of  the  scenario  presented  in  Eig.  8.1,  followed 
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by  analysis  of  the  scenario  presented  in  Fig.  8.2  and  simulation  results. 

We  denote  the  incoming  traffic  as  at  and  the  outgoing  traffic  as  (3t  and  assume 
that  both  processes  are  Poisson  with  parameters  a  and  (3  respectively.  Consequently,  5t 
represents  the  difference  between  the  incoming  and  outgoing  traffic:  5t  =  (at  —  /3t)"*“  at 
time  t.  Equivalently,  5t  represents  the  increase  rate  of  packets  in  the  buffer  over  time  or 
backlog.  In  this  setup  we  are  interested  in  finding  the  time  of  buffer  overflow 

T  =  inf{(5t  >  i^}  (8-1) 

where  u  denotes  the  buffer  size.  Clearly  T  is  random,  in  fact  it  is  a  stopping  time.  Next 
we  are  going  to  develop  closed  form  expressions  for  the  average-time-to-overflow,  that  is, 
E[r]. 

Ui  <  U2  <  Us  <  . . .  represent  the  arrival  times  and  Vi  <  V2  <  V3  <  . . .  the 
departure  times,  a  typical  form  of  the  paths  of  5t  is  depicted  in  Fig.  8.3.  We  observe  that 

t 

Figure  8.3:  Arrival  and  departure  times  in  the  queue  of  length  S 

6t  exhibits  piecewise  constant  paths  with  discontinuities  of  size  equal  to  ±1.  Without  loss 
of  generality  we  are  going  to  assume  that  these  paths  are  right  continuous.  In  order  to  be 
able  to  compute  K[T]  we  need  to  study  the  paths  of  the  process  g{6t)  where  g{-)  denotes 
a  continuous  nonlinear  function.  If  t  <  T  is  any  time  instant  before  overflow,  using  the 

right  continuity  of  5t,  we  can  write 

at  ht 

9{5t)  -g{So)  =  ^g{SuJ  -  g{Su„-) +  -  9{^v^-)  (8.2) 

n=l  n=l 
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where  Un-,  Vn-  denote  the  time  instant  right  before  the  n-th  arrival  and  departure  respec¬ 
tively.  Since  the  discontinuities  of  8t  are  equal  to  ±1  (depending  on  whether  we  have 
arrival  or  departure),  we  can  write 

+  1),  and  g{5vj  =  g  -  1)"") 

with  the  latter  positive  part  needed  because  we  have  a  departure  only  when  the  buffer  is 
not  empty.  Substituting  both  equalities  in  (8.2)  the  following  expression  is  obtained 

g{^t)  -  g{8o)  =  f  [^((Js-  + 1)  -  g{Ss-)]das 
Jo 

+  [  [g  {{ds- -  -  g{8s-)]dPs. 

Jo 

Replacing  in  the  latter  expression  t  =  T  and  applying  expectation  we  have 

IEb(<^r)]  -  g{8o)  =  E  /  [(/(J^-  -hi)  -  g{6s-)]das 
Jo 

+  e\[  [g  {{5s- -  1)^)  -  g{6s-)]df3s  ■ 

Jo 

Because  T  is  a  stopping  time  and  6s-  is  in  the  past  of  the  time  instant  s,  according  to 
[34] ,  in  the  previous  two  expectations  we  can  replace  dat  with  adt  and  djt  with  (3dt  where 
a,f3,  recall,  are  the  corresponding  rates  of  the  two  Poisson  processes  This  leads  to 

the  following  equation 

^[^(^t)]  -  g{5o)  = 

IE  j  |ab('5s- +  1)  -  ff(<^s-)]  + 

P[9  {{ds-  -  l)"^)  -  5(<^s-)]}'^s  •  (8.3) 

Notice  now  that  if  we  select  g{-)  to  satisfy  the  difference  equation 

a[g{5  -hi)  -  5f('5)]  +  J[g  {{5  -  1)+)  -  g{6)]  =  -1  (8.4) 
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then  Eqn.  (8.3)  simplifies  to 


ff(5o)-%(5T)]  =E[r].  (8.5) 

Since  <5*  >  0  the  function  g(-)  needs  to  be  defined  only  for  non-negative  arguments.  How¬ 
ever,  in  order  to  avoid  using  the  positive  part  in  (8.4),  we  can  extend  </(•)  to  negative 
arguments  as  follows 

g(S)  =  g{0),  for  -  1  <  (5  <  0,  (8.6) 

and  this  simplifies  (8.4)  to 

a[g{5  +  1)-  g{6)]  +  (3[g{5  -  1)  -  g{S)]  =  -1.  (8.7) 

Furthermore,  since  at  the  time  of  stopping  T  we  have  a  full  buffer,  that  is,  5t  =  v  (with 
u  denoting  the  buffer  size),  if  we  impose  the  additional  constraint 

g{v)  =  0,  (8.8) 


and  recall  that  6o  =  0,  from  (8.5)  we  obtain  E[r]  =  ^(0). 

Summarizing,  we  have  E[T]  =  g(0)  where  g(-)  is  a  function  that  satisfies  the  differ¬ 
ence  equation  (8.7)  and  the  two  boundary  conditions  (8.6),  (8.8).  Since  ly  is  an  integer  it 
suffices  to  solve  (8.7)  for  integer  values  of  5  meaning  that  (8.7)  can  be  seen  as  a  recurrence 
relation  of  second  order.  The  solution  to  our  problem  can  thus  be  easily  obtained  and  we 
have 


E[T] 


1]  +  T^}  fora//?. 


(8.9) 


i  fora  =  /3, 

where  p  =  (3 /a  denotes  the  ratio  between  the  outgoing  and  incoming  traffic  rates.  In 
order  to  examine  the  effects  of  various  levels  of  traffic  on  the  network  stability  needs  to 
be  examined.  By  definition,  stability  of  the  network  means  bounded  backlogs  over  time, 
i.e.  supF[(5j(t)]  <  oo  for  all  nodes  i  in  the  network.  We  observe  that  whenever  a  >  (3 
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(or  p  <  1)  the  exponential  term  (for  large  buffer  size  v)  is  negligible  as  compared  to  the 
linear  term  and  the  queue  needs,  in  the  average,  linear  time  to  overflow  (instability).  In 
the  opposite  case  a  <  (3  (or  p  >  1),  the  exponential  term  prevails  and  the  average-time-to- 
overflow  becomes  exponential  (stability).  These  observations  can  also  be  seen  in  Fig.  8.4 
ioi  p  =  (5 ja  =  3j2  and  p  =  j3/a  =  2/3  where  we  plot  the  average  time  as  a  function  of 
the  buffer  size  v.  Equivalently,  a  >  (5  implies  increase  of  backlog  in  the  given  node  over  a 
period  of  time  and  vice  versa. 


Figure  8.4:  Average  Time  to  buffer  overflow  for  p  =  (3/a  =  3/2  (stability)  and  p  =  (3/a  = 
2/3  (instability),  as  a  function  of  the  buffer  size  v. 


Figure  8.5:  Average  time  to  buffer  overflow  as  a  function  of  the  traffic  rate  ratio  p  =  (3/a 
and  buffer  size  v  =  100. 
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In  the  stable  case,  we  observe  the  extremely  large  average  time  required  to  overflow 


even  for  small  values  of  the  buffer  size.  In  Fig.  8.5  we  plot  the  average  time  as  a  function 
of  the  traffic  rate  ratio  p  =  /3/a,  assuming  normalized  incoming  rate  a  =  1  and  buffer  size 
V  =  100.  For  any  other  value  of  a,  according  to  (8.9),  we  simply  need  to  divide  by  a. 

We  now  return  to  the  analysis  of  the  scenario  presented  in  Fig.  8.1.  It  has  already 
been  mentioned  that  with  the  increase  of  the  aggressiveness  of  the  attacker  (i.  e.  param¬ 
eter  T]  in  Eq.  4.15),  the  percentage  of  channel  access  for  Node2  will  accordingly  decrease. 
Meanwhile,  Sourcel  keeps  generating  traffic  at  the  same  rate,  sending  packets  to  Nodal. 
With  Node2  being  silenced.  Nodal  has  the  parameter  [3  equal  to  zero.  Eq.  8.9  also  sug¬ 
gests  that  whenever  a  3>  /3  (or  p  <C  1)  then  E[r]  ~  In  order  to  proceed  further  with 
the  discussion  we  need  to  note  that  finding  the  average  time  to  buffer  overflow  E[T]  is 
equivalent  to  finding  the  average  time  until  the  observed  node  starts  losing  traffic  due 
to  buffer  overflow.  We  need  to  note  that  the  scenario  in  which  a  3>  /3  represents  the 
secondary  effects  of  an  optimal  attack.  We  assume  that  the  network  has  an  Intrusion 
Detection  System  (IDS)  implemented  and  that  it  detects  a  network  layer  attack  with  an 
average  delay  of  At.  Assuming  that  the  buffer  overflow  happens  at  time  t,  the  attack  is 
detected  at  time  ti  =  t  +  At.  Consequently,  the  amount  of  traffic  lost  (TL)  due  to  buffer 

overflow  in  node  i  in  a  network  of  k  nodes  at  time  ti  can  be  defined  as: 

k  / 

V 

Oil 


TL  =  Y^aAt,--]. 


2=1 


It  can  be  easily  observed  from  this  expression  that  even  small  detection  delays  of  the  order 
of  a  couple  of  seconds  have  relatively  large  traffic  loss  as  a  consequence. 

To  illustrate  the  amount  of  lost  traffic  due  to  detection  delay  in  the  network  layer 
we  present  the  results  of  the  above  analysis  for  a  single  node  in  Fig.  8.6  for  various  rates  of 
incoming  traffic.  As  expected,  the  amount  of  lost  traffic  increases  as  the  incoming  traffic 
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rate  increases.  It  can  be  easily  observed  that  even  small  detection  delays  of  the  order  of 


a  couple  of  seconds  have  relatively  large  traffic  loss  as  a  consequence. 


Figure  8.6:  The  amount  of  lost  traffic  as  a  function  of  detection  delay  for  fixed  buffer  size 

i/=100. 


8.2  Numerical  Results 

8.2.1  Cross-layer  effects  of  the  optimal  MAC  layer  attacks 

In  order  to  illustrate  the  effects  of  an  optimal  MAC  layer  attack  on  the  network  layer 
we  analyze  the  two  scenarios  presented  in  Fig.  8.1  and  Fig.  8.2  with  DSR  and  AODV  as 
routing  protocols.  Before  proceeding  with  the  analysis,  a  short  description  of  the  routing 
protocols  used  in  the  experiments  is  provided. 

DSR  is  a  source  routing  protocol:  the  source  knows  the  complete  hop-by-hop  route  to 
the  destination  and  routes  are  stored  in  node  caches.  It  consists  of  two  basic  mechanisms: 
Route  Discovery  and  Route  Maintenance.  When  a  node  attempts  to  send  a  data  packet 
to  a  new  destination,  the  source  node  initiates  a  route  discovery  process  to  dynamically 
determine  the  route.  Route  Discovery  works  by  flooding  Route  Request  (RREQ)  packets. 
RREQ  packets  propagate  throughout  the  network  until  they  are  received  by  a  node  with  a 
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route  to  the  destination  in  its  cache  or  by  the  destination  itself.  Such  a  node  replies  to  the 
RREQ  with  a  route  reply  (RREP)  that  is  routed  back  to  the  original  source.  The  RREQ 
builds  up  the  path  traversed  until  that  moment  by  recording  the  intermediate  nodes  and 
the  RREP  routes  itself  back  to  the  source  by  traversing  the  path  backwards.  If  any  link 
along  a  path  breaks,  Route  Maintenance  mechanism  is  invoked  by  using  a  Route  Error 
(RERR)  packet,  resulting  in  removal  of  any  route  that  contains  that  link.  If  the  route  is 
still  needed  by  the  source,  a  new  route  discovery  process  is  issued. 

AODV  uses  table-driven  hop-by-hop  routing.  It  applies  a  similar  Route  Discovery 
process  as  DSR.  However,  instead  of  using  route  caches,  it  uses  routing  tables  to  store 
routing  information,  one  entry  per  destination.  AODV  relies  on  routing  table  entries 
to  propagate  a  RREP  back  to  the  source  and  to  route  data  packets  to  the  destination. 
Furthermore,  AODV  uses  sequence  numbers  (carried  by  all  packets)  to  determine  freshness 
of  routing  information  and  to  prevent  routing  loops.  One  notable  feature  of  AODV  is  the 
use  of  timers  regarding  utilization  of  routing  table  entries.  Namely,  a  routing  entry  in  the 
table  may  expire  if  it  is  not  used  recently.  Moreover,  a  set  of  neighboring  nodes  that  use 
this  entry  is  also  maintained;  these  nodes  are  notified  through  RERR  packets  when  the 
next  hop  link  breaks.  This  process  is  recursively  repeated  by  each  node,  thereby  effectively 
deleting  all  routes  using  the  broken  link.  Upon  that,  a  new  Route  Discovery  process  is 
initialized. 

We  now  evaluate  the  cross-layer  impact  of  the  optimal  attacker  in  the  MAC  layer. 
The  results  of  the  simulations  are  presented  in  Fig.  8.7  and  Fig.  8.8.  Fig.  8.7  analyzes  the 
performance  of  Nodel  from  Fig.  8.1  as  a  function  of  e  with  DSR  and  AODV  as  the  routing 
protocols  for  two  cases  (i)  without  MAC  layer-based  IDS  and  (ii)  with  the  MAC  layer- 
based  IDS.  It  is  reasonable  to  expect  that  Node2  is  denied  channel  access  more  frequently 
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Figure  8.7:  Increase  in  dropped  traffic  at  Nodel. 

as  the  aggressiveness  of  the  selfish  node  increases  in  the  absence  of  a  MAC  layer-based  IDS. 
Consequently,  Nodel  is  disabled  from  forwarding  packets  towards  the  destination.  After 
evaluating  the  scenario  from  Fig.  8.1,  we  note  that  the  percentage  of  dropped  packets  at 
Nodel  increases  with  with  the  aggressiveness  of  the  attacker,  since  Node2  is  denied  access 
to  the  channel  due  to  transmissions  of  the  selfish  node.  We  observe  that  the  percentage 
increase  in  dropped  traffic  is  almost  linear  until  e=0.6.  However,  further  increase  in 
aggressiveness  of  the  attacker  does  not  bring  any  significant  benefit  in  terms  of  increase  of 
dropped  traffic  at  legitimate  nodes.  This  effect  is  due  to  the  operating  mechanism  of  the 
DSR  protocol.  Namely,  if  the  neighboring  node  (in  this  case  Node2)  does  not  respond  to 
the  requests  of  the  sender  for  a  certain  period  of  time,  the  route  maintenance  mechanism  of 
DSR  protocol  sends  a  RERR  and  a  new  RREQ  is  issued.  Consequently,  the  contents  of  the 
buffer  are  flushed  after  the  issue  of  RERR.  Therefore,  the  maximum  value  of  percentage 
increase  in  dropped  traffic  due  to  the  malicious  behavior  in  the  MAC  layer  is  bounded 
by  (i)  size  of  the  maintenance  buffer  in  the  observed  node  and  (ii)  the  route  maintenance 
timeout  value  (which  in  this  case  corresponds  to  40%  increase  in  dropped  traffic,  even 
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Figure  8.8:  Percentage  increase  in  traffic  through  alternate  route  as  a  consequence  of  an 
ongoing  MAC  layer  attack. 

in  the  case  of  the  DoS  attack).  Another  interesting  observation  is  that  the  number  of 
dropped  packet  decreases  for  the  maximal  value  of  the  misbehavior  coefficient.  This  can 
be  easily  explained  by  the  fact  that  Sourcel  cannot  establish  a  route  to  Destination! 
when  a  DoS  attack  is  launched.  Consequently,  very  few  packets  are  sent  to  Node!,  most 
of  which  are  dropped  due  to  unavailability  of  the  neighboring  node.  AODV,  on  the  other 
hand,  exhibited  high  resistance  to  misbehavior  with  the  percentage  of  dropped  packets 
being  close  to  zero  and  almost  independent  of  the  degree  of  misbehavior.  The  difference 
in  performance  of  two  protocols  can  be  explained  as  follows.  If  a  node  that  belongs  to 
a  DSR  route  detects  a  broken  link,  it  tries  to  salvage  packets  waiting  in  send  buffer  by 
trying  to  search  for  an  alternative  route  in  the  route  cache.  Once  this  process  fails,  the 
packets  in  the  buffer  are  dropped  and  a  RERR  is  sent  to  the  source.  AODV,  on  the  other 
hand,  has  no  route  cache,  but  instead  uses  local  repair  when  a  broken  link  is  detected. 
Namely,  if  a  node  detects  a  broken  link,  it  sends  RREQ  directly  to  the  destination.  This 
implies  that  misuses  that  are  targeted  at  disrupting  services  can  generate  only  temporary 
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impact,  forcing  the  attacker  to  repeat  misuses  at  higher  frequency  in  order  to  disrupt  the 


service.  Observing  the  results  in  Fig.  8.7,  we  conclude  that  the  local  repair  mechanism  of 
AODV  protocol  can  handle  failures  due  to  MAC  layer  attacks  with  much  higher  success 
rate  than  DSR. 

To  further  illustrate  the  effects  of  an  optimal  MAC  layer  attack  on  the  network  layer 
we  now  proceed  to  the  analysis  of  the  scenario  presented  in  Fig.  8.2.  An  additional  traffic 
generating  source  {Source2)  and  an  additional  node  {NodeS)  that  resides  in  the  wireless 
range  of  Nodal  are  added.  These  additional  nodes  enable  creation  of  an  alternative  route 
to  Destination!  in  case  of  failure  of  Node2.  We  repeat  the  same  misbehavior  pattern 
of  the  selfish  node  as  in  the  previous  scenario  and  record  the  traffic  increase  through 
an  alternative  route.  Due  to  the  failure  of  Node2  and  the  exponential  nature  of  back¬ 
off  mechanism  of  Nodal,  Node2  becomes  unreachable  after  the  certain  threshold  (that 
corresponds  to  e  =  0.4)  and  traffic  is  re-routed  to  the  final  destination  through  Node3. 
This  topology  ensures  better  throughput  for  legitimate  nodes  and  decreases  the  total 
number  of  dropped  packets  for  the  DSR  protocol  due  to  the  fact  that  after  the  initial 
route  is  broken,  an  alternative  route  from  its  cache  is  used  to  send  packets.  AODV,  due 
to  the  identical  reasons  as  in  the  previous  example,  is  again  superior  to  DSR  with  respect 
to  the  number  of  packets  dropped  and  does  not  use  the  alternative  route. 

8.2.2  Implementation  of  an  optimal  MAC  layer-based  IDS 

The  experimental  results  of  the  scenario  that  employs  an  optimal  MAC  layer  attack 
were  presented  in  Sect.  8.2.1  and  illustrated  its  effects  in  terms  of  lost  traffic.  In  order  to 
prevent  (i)  vertical  propagation  of  attacks  and  (ii)  false  accusations  of  legitimate  nodes  we 
present  the  detection  scheme  presented  in  Fig.  8.9.  The  proposed  scheme  consists  of  two 
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Figure  8.9:  Proposed  cross-layer  collaboration 

modules.  Module  1,  residing  in  the  MAC  layer  employs  the  SPRT-based  detection  strategy 
described  in  Chap.  4.  The  advantage  of  having  the  MAC  layer  module  is  two-fold.  First  of 
all,  we  avoid  the  trap  of  false  accusations  in  the  MAC  layer  due  to  collisions  and  constant 
retransmissions.  Secondly,  as  we  will  see  in  the  remainder  of  the  section,  it  reduces  the 
probability  of  false  alarms  in  the  Network  Layer  as  well.  Module  2  resides  in  the  Network 
Layer  and  employs  already  existing  detection  mechanisms,  such  as  watchdog  or  any  other 
suitable  algorithm  for  detection  of  malicious  activities.  The  major  problem  with  Network 
Layer-based  detection  algorithms  is  that  they  rely  on  observing  the  number  of  dropped 
packets  as  the  main  source  of  information  and  base  their  decisions  on  misbehavior  on 
that  information.  However,  a  node  may  drop  significant  amount  of  packets  due  to  either 
poor  channel  conditions  (i.e.  interference)  or  network  congestion,  which  may  lead  to 
false  accusations.  In  order  to  prevent  this  scenario,  we  establish  vertical  communication 
among  the  detection  modules.  Both  layers  send  their  information  to  the  IDS  module. 
Module  1  sends  the  list  of  misbehaving  nodes  in  the  MAC  layer  and  Module  2  sends 
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the  list  of  nodes  with  suspicious  behavior  (i.e.  nodes  which  are  accused  by  watchdog  or 
some  other  mechanism).  In  addition  to  that,  we  assume  the  IDS  has  the  information 
about  the  network  topology,  such  as  interference  graphs,  existing  paths  etc.  Using  the 
information  obtained  from  Module  1  and  topology  information  it  makes  a  decision  about 
misbehavior  and  broadcasts  the  decision  information  throughout  the  network.  In  addition 
to  that,  using  the  topology  information  it  makes  a  temporary  decision  about  the  best 
route  choices  in  order  to  avoid  congested  areas  that  were  created  due  to  misbehavior. 

We  now  implement  the  optimal  MAC  layer-based  detection  scheme  presented  in 
[26]  and  investigate  the  effects  on  the  dropped  traffic  in  the  network  layer  with  DSR  and 
AODV  as  routing  protocols.  We  assume  that  all  nodes  that  take  part  in  the  detection 
process  are  legitimate  and  do  not  falsely  accuse  their  peers  of  misbehavior.  The  results 
are  presented  in  Fig.  8.7.  Observing  the  results  for  the  DSR  protocol  performance  we 
note  that  the  IDS  achieves  maximum  performance  for  misbehavior  coefficients  that  are 
larger  than  0.5  (i.e.  more  aggressive  attacks).  This  can  be  easily  explained  by  noting  that 
the  MAC  layer  IDS  was  constructed  to  detect  a  class  of  more  aggressive  attacks  that  have 
higher  impact  on  the  system  performance.  On  the  other  hand,  the  low  impact  attacks  take 
longer  to  be  detected  and  influence  the  performance  of  the  routing  protocol.  Namely,  low- 
impact  attacks  achieve  certain  gain  in  channel  access  time  when  compared  to  legitimate 
nodes.  This  causes  temporary  congestion  in  the  MAC  layer,  where  legitimate  nodes  back¬ 
off  for  larger  periods  of  time  due  to  the  exponential  nature  of  back-off  mechanism  in 
IEEE  802.11  DCF.  Even  after  the  selfish  node  is  isolated,  the  legitimate  nodes  compete 
among  themselves  for  channel  access,  which  causes  a  small  increase  in  dropped  traffic. 
When  the  performance  of  low  impact  attacks  is  analyzed,  it  can  be  observed  that  the 
congestion  effects  last  for  additional  5- 10s  after  the  isolation  of  the  attacker.  However, 
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the  IDS  detects  and  isolates  aggressive  selfish  nodes  almost  instantly,  causing  no  effects  in 
the  network  layer.  Consequently,  the  percentage  increase  in  dropped  traffic  at  legitimate 
nodes  for  aggressive  strategies  of  an  optimal  attacker  is  equal  to  zero.  We  also  note  that 
AODV  is  more  robust  to  MAC  layer  attacks  from  the  reasons  mentioned  in  Sect.  8.2.1  and 
consequently  implementation  of  a  MAC  layer-based  IDS  has  no  significant  influence  on  its 
performance. 

We  conclude  that  the  effect  of  MAC  layer  misbehavior  on  the  network  layer  is 
twofold:  (i)  legitimate  nodes  are  forced  to  drop  significant  number  of  packets  due  to 
unavailability  of  their  neighbors  that  are  blocked  by  the  selfish  node;  (ii)  consequently, 
it  causes  significant  decrease  in  throughput  due  to  unavailability  of  one  or  more  nodes 
belonging  to  the  initial  route.  This  gives  rise  to  a  larger  number  of  false  positives  generated 
by  an  ID  mechanism  that  resides  in  the  network  layer  since  most  of  the  network-based 
ID  mechanisms  are  threshold-based  and  react  only  after  a  certain  number  of  dropped 
packets  per  second  is  exceeded.  Consequently,  if  no  MAC  layer  ID  mechanism  is  employed, 
legitimate  nodes  can  be  accused  of  misbehaving.  This  proves  the  necessity  of  existence  of 
ID  mechanisms  in  both  MAC  and  network  layers. 
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